Possible remote vulnerability in SSH-1.2.27

[stealth <stealth () Land AM>]

A worm scans the network for special configuratiom (particulary ssh-1.x.x
allowing remote root login), using buffer overflow, as I could determine
gets remote root shell, copies some code, compiles it and runs.
The code also include scanner, for the worm to continue it's job from the
machine it vulnes.

It also ereases /var/log/messages, and stops syslogd and many other
services (see attacment for details), disables $HISTORY, adds a user `tcp'
to the system passwd file, ereases `top', `netstat', `ps', replaces the
sshd with some other service it calles backdoor together with it's
configuration file, runs it instead of sshd, changes config files like
known_hosts, random_seed, etc, chattr +i /etc/passwd and /etc/shadow to
make them readonly. Does a lot of other things, you can find them in the
attached script I could recover from theleted files.

The main goal, as I could determine is to run a process `httpd', that is
actually an IRC bot.

For the whole stuff in tar.gz format (source code of the scanner, IRC bot,
etc) please let me know privately via e-mail.

Attachment: hackscript
Description:

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com