[Dshield] Trojanned SSH Server

Matt Richard matt.richard at gmail.com
Wed Dec 28 14:07:56 GMT 2005


jayjwa,

> Does anyone know where this sshd comes from?

I have seen this binary before, in fact it was part of the
Honeynet.org Scan of the Month 29
http://www.honeynet.org/scans/scan29/sol/mrichard/scan29.html.

> - banner: SSH-1.5-By-ICE_4_All ( Hackers Not Allowed! )\n

If you take a look at question 7 you will see that there was a binary
named "smbd -D" (yes the flag was part of the name) that contained
"SSH-1.5-By-ICE_4_All ( Hackers Not Allowed! )".  This binary was a
modified version of openSSH that came in a rootkit named rk.tar.gz..

> 1007/tcp open     unknown
>
> Funny place for a service.

In the incident the "smbd -D" binary was listening on 80/tcp, 443/tcp
and 2003/tcp but those are really arbitrary port assignments.

So from what I know it's a fairly old rootkit that was used in
conjunction with openssl exploits in 2003.

--
Matt Richard
http://www.mullingsecurity.com



More information about the list mailing list