Security Incidents mailing list archives

Re: Possible remote vulnerability in SSH-1.2.27

From: Andrei Muresan <andrei () btrl ro>
Date: Thu, 3 Oct 2002 08:34:45 +0300

On Wed, 2 Oct 2002 12:14:58 +0500 (AMST)
stealth <stealth () Land AM> wrote:

A worm scans the network for special configuratiom (particulary ssh-1.x.x
allowing remote root login), using buffer overflow, as I could determine
gets remote root shell, copies some code, compiles it and runs.
The code also include scanner, for the worm to continue it's job from the
machine it vulnes.

It also ereases /var/log/messages, and stops syslogd and many other
services (see attacment for details), disables $HISTORY, adds a user `tcp'
to the system passwd file, ereases `top', `netstat', `ps', replaces the
sshd with some other service it calles backdoor together with it's
configuration file, runs it instead of sshd, changes config files like
known_hosts, random_seed, etc, chattr +i /etc/passwd and /etc/shadow to
make them readonly. Does a lot of other things, you can find them in the
attached script I could recover from theleted files.

The main goal, as I could determine is to run a process `httpd', that is
actually an IRC bot.

For the whole stuff in tar.gz format (source code of the scanner, IRC bot,
etc) please let me know privately via e-mail.


This is just another bored romanian kid, it seems we've got lots here. Nothing special about the script, having in mind 
that is a simple _plain_ text file, probably its very popular on the _newbie_ scene. For them its an out_of_the_box 
backdoor solution, no matter of the superficial capability. If we think about the "stealth" nature of install, we can 
be almost sure its all about a lame user/group that does mass scanning/hacking for their "big" irc war.

Bottom line, just have a tripwire installed/configured and you'll "have" them by dinner. Maybe they think "hey its so 
simple that they wont even see it or bother to remove it", who knows..

My kind regards,

-- 
Andrei MURESAN
Network Administrator
IT Department
Banca Transilvania, Cluj-Napoca


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Possible remote vulnerability in SSH-1.2.27 stealth (Oct 02)
- Re: Possible remote vulnerability in SSH-1.2.27 Alexandru Frangeti (Oct 03)
- Re: Possible remote vulnerability in SSH-1.2.27 Andrei Muresan (Oct 03)
  - Re: Possible remote vulnerability in SSH-1.2.27 Alexandru Balan (Oct 04)
    - Re: Possible remote vulnerability in SSH-1.2.27 Alvin Oga (Oct 05)