Security Incidents mailing list archives
Possible remote vulnerability in SSH-1.2.27
From: stealth <stealth () Land AM>
Date: Wed, 2 Oct 2002 12:14:58 +0500 (AMST)
A worm scans the network for special configuratiom (particulary ssh-1.x.x allowing remote root login), using buffer overflow, as I could determine gets remote root shell, copies some code, compiles it and runs. The code also include scanner, for the worm to continue it's job from the machine it vulnes. It also ereases /var/log/messages, and stops syslogd and many other services (see attacment for details), disables $HISTORY, adds a user `tcp' to the system passwd file, ereases `top', `netstat', `ps', replaces the sshd with some other service it calles backdoor together with it's configuration file, runs it instead of sshd, changes config files like known_hosts, random_seed, etc, chattr +i /etc/passwd and /etc/shadow to make them readonly. Does a lot of other things, you can find them in the attached script I could recover from theleted files. The main goal, as I could determine is to run a process `httpd', that is actually an IRC bot. For the whole stuff in tar.gz format (source code of the scanner, IRC bot, etc) please let me know privately via e-mail.
Attachment:
hackscript
Description:
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Possible remote vulnerability in SSH-1.2.27 stealth (Oct 02)
- Re: Possible remote vulnerability in SSH-1.2.27 Alexandru Frangeti (Oct 03)
- Re: Possible remote vulnerability in SSH-1.2.27 Andrei Muresan (Oct 03)
- Re: Possible remote vulnerability in SSH-1.2.27 Alexandru Balan (Oct 04)
- Re: Possible remote vulnerability in SSH-1.2.27 Alvin Oga (Oct 05)
- Re: Possible remote vulnerability in SSH-1.2.27 Alexandru Balan (Oct 04)