Date: Thu, 1 Aug 2002 09:16:53 -0400 (EDT) From: Matt Piechota <piechota@argolis.org> To: Artur Lindgren <bond@comitnet.se> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Trojan located in latest openssh tar files Message-ID: <20020801091503.H91087-100000@cithaeron.argolis.org> In-Reply-To: <a05111b06b96ed5c3da7c@[192.168.57.109]>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 1 Aug 2002, Artur Lindgren wrote: > It runs once, upon compilation of openssh, and is named sh or the > compiling users default shell in the processlist in the process > listing. > This trojan attempts to connect to 203.62.158.32:6667 (hacked machine > which has been secured now), > and awaits one of three characters as the command; > D execs /bin/sh > M respawns > A kills the deamon > The /bin/sh executed via the D command was controlled by the daemon > listening on 203.62.158.32:6667, potentially meaning that > people affected by this has given a shell, possibly root, to user unknown. Sounds like it'd only work for the current boot of the machine? Or does it hide somewhere and persist after reboot? -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020801091503.H91087-100000>