[Dshield] Trojanned SSH Server
jayjwa at atr2.ath.cx
Wed Dec 28 11:00:31 GMT 2005
Does anyone know where this sshd comes from? I've seen this banner many times
on hacked hosts. This host appeared one too many times in the fw logs as
trying to send to UPD messenger spam posts, plus 4275//udp, which I wasn't
aware of as being messenger spam (a few posts to dslreports claimed it was,
not sure myself).
1007/tcp open unknown
Funny place for a service. The host is also running RPC's open to the 'Net.
Probably how it got whacked it begin with.
Here's the banner:
Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...
Protocol on 18.104.22.168:1007/tcp (by trigger tivoli_tsm-server) matches ssh
- banner: SSH-1.5-By-ICE_4_All ( Hackers Not Allowed! )\n
Dump of identified response from 22.214.171.124:1007/tcp (by trigger
0000: 5353 482d 312e 352d 4279 2d49 4345 5f34 [ SSH-1.5-By-ICE_4 ]
0010: 5f41 6c6c 2028 2048 6163 6b65 7273 204e [ _All ( Hackers N ]
0020: 6f74 2041 6c6c 6f77 6564 2120 290a [ ot Allowed! ). ]
Unidentified ports: none.
amap v5.2 finished at 2005-12-28 03:28:49
It doesn't act like a typical sshd; most will return "Protocal Mismatch" when
connecting with a non-ssh client, such as telnet, sbd, netcat, etc. This one
didn't. It only gave up this banner after running amap.
The only refences I've found on Google do speak of a rootkit, but don't give
specific info on the sshd. I'm wonder where it's from/does it come with
another rootkit/does it come standalone/is it itself infected with anything
(OSF/RST viruses)/etc ...
[GCC 4.* Hater's Club] Things more fun than trying to use GCC 4.*:
1. Licking frozen metal objects outside in -10F weather. warning:
2. Slamming one's fingers in car door, repeatedly. differ in sign
3. Drink 12oz tall glass of Draino. *** [snmp_api.lo] Error 1
Waste alot of time! Break your system! Get GCC: ftp.gnu.org/gnu/gcc
More information about the list