From owner-freebsd-security Thu Aug 1 7:14:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B297037B400 for ; Thu, 1 Aug 2002 07:14:52 -0700 (PDT) Received: from mail.comitnet.com (skiffer.comitnet.com [212.181.63.123]) by mx1.FreeBSD.org (Postfix) with SMTP id 41BA343E70 for ; Thu, 1 Aug 2002 07:14:51 -0700 (PDT) (envelope-from bond@comitnet.se) Received: (qmail 3060 invoked from network); 1 Aug 2002 14:14:56 -0000 Received: from unknown (HELO ?192.168.57.109?) (212.181.63.111) by 212.181.63.98 with SMTP; 1 Aug 2002 14:14:56 -0000 Mime-Version: 1.0 X-Sender: bond%comitnet.se@pop3.comitnet.com Message-Id: In-Reply-To: <20020801091503.H91087-100000@cithaeron.argolis.org> References: <20020801091503.H91087-100000@cithaeron.argolis.org> Date: Thu, 1 Aug 2002 16:13:59 +0200 To: Matt Piechota From: Artur Lindgren Subject: Re: Trojan located in latest openssh tar files Cc: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >On Thu, 1 Aug 2002, Artur Lindgren wrote: > >> It runs once, upon compilation of openssh, and is named sh or the >> compiling users default shell in the processlist in the process >> listing. >> This trojan attempts to connect to 203.62.158.32:6667 (hacked machine >> which has been secured now), >> and awaits one of three characters as the command; >> D execs /bin/sh >> M respawns >> A kills the deamon >> The /bin/sh executed via the D command was controlled by the daemon >> listening on 203.62.158.32:6667, potentially meaning that >> people affected by this has given a shell, possibly root, to user unknown. > >Sounds like it'd only work for the current boot of the machine? Or does >it hide somewhere and persist after reboot? > >-- >Matt Piechota As i wrote, it runs once upon compilation :-) /Artur Lindgren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message