[Dshield] Trojanned SSH Server

jayjwa jayjwa at atr2.ath.cx
Wed Dec 28 11:00:31 GMT 2005

Does anyone know where this sshd comes from? I've seen this banner many times 
on hacked hosts. This host appeared one too many times in the fw logs as 
trying to send to UPD messenger spam posts, plus 4275//udp, which I wasn't 
aware of as being messenger spam (a few posts to dslreports claimed it was, 
not sure myself).

1007/tcp open     unknown

Funny place for a service. The host is also running RPC's open to the 'Net. 
Probably how it got whacked it begin with.

Here's the banner:

Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...

Protocol on (by trigger tivoli_tsm-server) matches ssh 
- banner: SSH-1.5-By-ICE_4_All ( Hackers Not Allowed! )\n

Dump of identified response from (by trigger 

0000:  5353 482d 312e 352d 4279 2d49 4345 5f34    [ SSH-1.5-By-ICE_4 ]
0010:  5f41 6c6c 2028 2048 6163 6b65 7273 204e    [ _All ( Hackers N ]
0020:  6f74 2041 6c6c 6f77 6564 2120 290a         [ ot Allowed! ).   ]

Unidentified ports: none.

amap v5.2 finished at 2005-12-28 03:28:49

It doesn't act like a typical sshd; most will return "Protocal Mismatch" when 
connecting with a non-ssh client, such as telnet, sbd, netcat, etc. This one 
didn't. It only gave up this banner after running amap.

The only refences I've found on Google do speak of a rootkit, but don't give 
specific info on the sshd. I'm wonder where it's from/does it come with 
another rootkit/does it come standalone/is it itself infected with anything 
(OSF/RST viruses)/etc ...

[GCC 4.* Hater's Club]  Things more fun than trying to use GCC 4.*:
   1. Licking frozen metal objects outside in -10F weather.   warning:
   2. Slamming one's fingers in car door, repeatedly.   differ in sign
   3. Drink 12oz tall glass of Draino.        *** [snmp_api.lo] Error 1
Waste alot of time! Break your system! Get GCC: ftp.gnu.org/gnu/gcc

More information about the list mailing list