[Dshield] Trojanned SSH Server
matt.richard at gmail.com
Wed Dec 28 14:07:56 GMT 2005
> Does anyone know where this sshd comes from?
I have seen this binary before, in fact it was part of the
Honeynet.org Scan of the Month 29
> - banner: SSH-1.5-By-ICE_4_All ( Hackers Not Allowed! )\n
If you take a look at question 7 you will see that there was a binary
named "smbd -D" (yes the flag was part of the name) that contained
"SSH-1.5-By-ICE_4_All ( Hackers Not Allowed! )". This binary was a
modified version of openSSH that came in a rootkit named rk.tar.gz..
> 1007/tcp open unknown
> Funny place for a service.
In the incident the "smbd -D" binary was listening on 80/tcp, 443/tcp
and 2003/tcp but those are really arbitrary port assignments.
So from what I know it's a fairly old rootkit that was used in
conjunction with openssl exploits in 2003.
More information about the list