> Found this shell script on a server:
>
> #!/bin/bash
> # cracker ssh backdoor - by AppleJuice
> if [ -f /usr/sbin/sshd ]; then
> FILE=/usr/sbin/sshd
> NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
> '{print $1}'`
> _SNF=`expr $NR + 1`
> _PASS=`expr $NR + 2`
> SNF=`strings $FILE | head -n $_SNF | tail -n 1`
> PASS=`strings $FILE | head -n $_PASS | tail -n 1`
> echo "first string: $SNF"
> echo "second string: $PASS"
> fi
>
> The server was obviously hacked, but I don't understand how the script
> came on the server and its usage and purpose
On quick inspection (I'm no bash script expert) that the script is
trying to find a master password encoded inside the sshd (SSH daemon).
Sorry but I'm also not a *NIX guru to even know if SSH has a backdoor or
master password encoded within it. From a Google search:
it certainly appears there is a backdoor password. From reading just a
couple of results from the search, and from the example at http://www.horseb.net/html/7643/7643.html, apparently you can edit an
includes.h file to define your backdoor and recompile. If the script
can find the password, and because I don't see any fancy decoding
scheme, maybe that backdoor password is just plain text. The script
just goes a hunting for the text backdoor password if one got put into
SSH. So you'll want to make sure you have an unmodified SSH
installation.
Another article
(http://www.juniper.net/security/auto...vuln25290.html)
mentions how SSH can be backdoored by using the known parameters used to
build the password. There also seems to be some "port knocking"
vulnerability to SSH (you can Google on that).
On Fri, 4 Feb 2011 15:26:00 -0500, DasFox <dasfox@hushmail.com> wrote:
>On Fri, 4 Feb 2011 13:48:18 -0600, VanguardLH wrote:
>
>> Ebenezer Scrooge wrote:
>>
>>> Found this shell script on a server:
>>>
>>> #!/bin/bash
>>> # cracker ssh backdoor - by AppleJuice
>
>>From a Google search:
>>
>> http://www.google.com/search?q=%2Bss...or+%2Bpassword
>>
>> it certainly appears there is a backdoor password.
>
>WOW...great deducement...did the word *BACKDOOR* clue you up...
>
>And you had to search GOOGLE for that...LOL
>
>THANKS
On 04/02/2011 20:48, VanguardLH wrote:
> Ebenezer Scrooge wrote:
>
>> Found this shell script on a server:
>>
>> #!/bin/bash
>> # cracker ssh backdoor - by AppleJuice
>> if [ -f /usr/sbin/sshd ]; then
>> FILE=/usr/sbin/sshd
>> NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
>> '{print $1}'`
>> _SNF=`expr $NR + 1`
>> _PASS=`expr $NR + 2`
>> SNF=`strings $FILE | head -n $_SNF | tail -n 1`
>> PASS=`strings $FILE | head -n $_PASS | tail -n 1`
>> echo "first string: $SNF"
>> echo "second string: $PASS"
>> fi
>>
>> The server was obviously hacked, but I don't understand how the script
>> came on the server and its usage and purpose
>
> On quick inspection (I'm no bash script expert) that the script is
> trying to find a master password encoded inside the sshd (SSH daemon).
> Sorry but I'm also not a *NIX guru to even know if SSH has a backdoor or
> master password encoded within it. From a Google search:
>
> http://www.google.com/search?q=%2Bss...or+%2Bpassword
>
> it certainly appears there is a backdoor password.
Don't know: fact is, with that script one can see full SSH logins in
plain text with root password...
> Ebenezer Scrooge wrote:
>
>> Found this shell script on a server:
>>
>> #!/bin/bash
>> # cracker ssh backdoor - by AppleJuice
>> if [ -f /usr/sbin/sshd ]; then
>> FILE=/usr/sbin/sshd
>> NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
>> '{print $1}'`
>> _SNF=`expr $NR + 1`
>> _PASS=`expr $NR + 2`
>> SNF=`strings $FILE | head -n $_SNF | tail -n 1`
>> PASS=`strings $FILE | head -n $_PASS | tail -n 1`
>> echo "first string: $SNF"
>> echo "second string: $PASS"
>> fi
>>
>> The server was obviously hacked, but I don't understand how the script
>> came on the server and its usage and purpose
>
> On quick inspection (I'm no bash script expert) that the script is
> trying to find a master password encoded inside the sshd (SSH daemon).
> Sorry but I'm also not a *NIX guru to even know if SSH has a backdoor or
> master password encoded within it. From a Google search:
>
> http://www.google.com/search?q=%2Bss...or+%2Bpassword
The backdoor only appears to affect older versions of openssh; I just took a
look at the openssh source code on my system, and there does not appear to
be any way to set a backdoor password. I have never heard of anyone setting
such an ssh backdoor, but it certainly appears to have been an option at
some point.
> Found this shell script on a server:
>
> #!/bin/bash
> # cracker ssh backdoor - by AppleJuice
> if [ -f /usr/sbin/sshd ]; then
> FILE=/usr/sbin/sshd
> NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
> '{print $1}'`
> _SNF=`expr $NR + 1`
> _PASS=`expr $NR + 2`
> SNF=`strings $FILE | head -n $_SNF | tail -n 1`
> PASS=`strings $FILE | head -n $_PASS | tail -n 1`
> echo "first string: $SNF"
> echo "second string: $PASS"
> fi
>
>
> The server was obviously hacked, but I don't understand how the script
> came on the server and its usage and purpose
Are you using openssh, or some other ssh server? Also, which version are
you using? I cannot seem to find the string ssh_mpmzm_pow in the sshd
executable on any of my systems, nor can I find it in the source code for
openssh, nor in libssh*. Those systems are running Fedora; what is yours
running?
> VanguardLH wrote:
>
>> Ebenezer Scrooge wrote:
>>
>>> Found this shell script on a server:
>>>
>>> #!/bin/bash
>>> # cracker ssh backdoor - by AppleJuice
>>> if [ -f /usr/sbin/sshd ]; then
>>> FILE=/usr/sbin/sshd
>>> NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
>>> '{print $1}'`
>>> _SNF=`expr $NR + 1`
>>> _PASS=`expr $NR + 2`
>>> SNF=`strings $FILE | head -n $_SNF | tail -n 1`
>>> PASS=`strings $FILE | head -n $_PASS | tail -n 1`
>>> echo "first string: $SNF"
>>> echo "second string: $PASS"
>>> fi
>>>
>>> The server was obviously hacked, but I don't understand how the script
>>> came on the server and its usage and purpose
>>
>> On quick inspection (I'm no bash script expert) that the script is
>> trying to find a master password encoded inside the sshd (SSH daemon).
>> Sorry but I'm also not a *NIX guru to even know if SSH has a backdoor or
>> master password encoded within it. From a Google search:
>>
>> http://www.google.com/search?q=%2Bss...or+%2Bpassword
>
> The backdoor only appears to affect older versions of openssh; I just took a
> look at the openssh source code on my system, and there does not appear to
> be any way to set a backdoor password. I have never heard of anyone setting
> such an ssh backdoor, but it certainly appears to have been an option at
> some point.
>
> -- B
From what I read, the articles that mentioned the source for the sshd
were for OpenSSH. So maybe it was a peculiar "feature" of just that
version of it.
> Mr. B wrote:
>
>> VanguardLH wrote:
>>
>>> Ebenezer Scrooge wrote:
>>>
>>>> Found this shell script on a server:
>>>>
>>>> #!/bin/bash
>>>> # cracker ssh backdoor - by AppleJuice
>>>> if [ -f /usr/sbin/sshd ]; then
>>>> FILE=/usr/sbin/sshd
>>>> NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
>>>> '{print $1}'`
>>>> _SNF=`expr $NR + 1`
>>>> _PASS=`expr $NR + 2`
>>>> SNF=`strings $FILE | head -n $_SNF | tail -n 1`
>>>> PASS=`strings $FILE | head -n $_PASS | tail -n 1`
>>>> echo "first string: $SNF"
>>>> echo "second string: $PASS"
>>>> fi
>>>>
>>>> The server was obviously hacked, but I don't understand how the script
>>>> came on the server and its usage and purpose
>>>
>>> On quick inspection (I'm no bash script expert) that the script is
>>> trying to find a master password encoded inside the sshd (SSH daemon).
>>> Sorry but I'm also not a *NIX guru to even know if SSH has a backdoor or
>>> master password encoded within it. From a Google search:
>>>
>>> http://www.google.com/search?q=%2Bss...or+%2Bpassword
>>
>> The backdoor only appears to affect older versions of openssh; I just
>> took a look at the openssh source code on my system, and there does not
>> appear to
>> be any way to set a backdoor password. I have never heard of anyone
>> setting such an ssh backdoor, but it certainly appears to have been an
>> option at some point.
>>
>> -- B
>
> From what I read, the articles that mentioned the source for the sshd
> were for OpenSSH. So maybe it was a peculiar "feature" of just that
> version of it.
Like I said, I took a look at the source for openssh on my systems -- some
running CentOS, some running Fedora -- and the method of introducing a
backdoor that was described in the article did not appear to be there, nor
did it appear to be removed by any of the patches that the CentOS and Fedora
teams apply to their packages. The articles seem to refer to older versions
of openssh, which may be in use in some places.
On 06/02/2011 16:36, Mr. B wrote:
> Ebenezer Scrooge wrote:
>
>> Found this shell script on a server:
>>
>> #!/bin/bash
>> # cracker ssh backdoor - by AppleJuice
>> if [ -f /usr/sbin/sshd ]; then
>> FILE=/usr/sbin/sshd
>> NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
>> '{print $1}'`
>> _SNF=`expr $NR + 1`
>> _PASS=`expr $NR + 2`
>> SNF=`strings $FILE | head -n $_SNF | tail -n 1`
>> PASS=`strings $FILE | head -n $_PASS | tail -n 1`
>> echo "first string: $SNF"
>> echo "second string: $PASS"
>> fi
>>
>>
>> The server was obviously hacked, but I don't understand how the script
>> came on the server and its usage and purpose
>
> Are you using openssh, or some other ssh server? Also, which version are
> you using? I cannot seem to find the string ssh_mpmzm_pow in the sshd
> executable on any of my systems, nor can I find it in the source code for
> openssh, nor in libssh*. Those systems are running Fedora; what is yours
> running?
The distro was Debian Lenny, freshly upgraded some days ago. And yep, it
is OpenSSH.
I'm considering also the option of a hacked/tampered sshd file.
> On 06/02/2011 16:36, Mr. B wrote:
>> Ebenezer Scrooge wrote:
>>
>>> Found this shell script on a server:
>>>
>>> #!/bin/bash
>>> # cracker ssh backdoor - by AppleJuice
>>> if [ -f /usr/sbin/sshd ]; then
>>> FILE=/usr/sbin/sshd
>>> NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
>>> '{print $1}'`
>>> _SNF=`expr $NR + 1`
>>> _PASS=`expr $NR + 2`
>>> SNF=`strings $FILE | head -n $_SNF | tail -n 1`
>>> PASS=`strings $FILE | head -n $_PASS | tail -n 1`
>>> echo "first string: $SNF"
>>> echo "second string: $PASS"
>>> fi
>>>
>>>
>>> The server was obviously hacked, but I don't understand how the script
>>> came on the server and its usage and purpose
>>
>> Are you using openssh, or some other ssh server? Also, which version are
>> you using? I cannot seem to find the string ssh_mpmzm_pow in the sshd
>> executable on any of my systems, nor can I find it in the source code for
>> openssh, nor in libssh*. Those systems are running Fedora; what is yours
>> running?
>
> The distro was Debian Lenny, freshly upgraded some days ago. And yep, it
> is OpenSSH.
Which version of openssh? I checked versions 4.3 and 5.5, and as I said,
the string ssh_mpmzm_pow was not present in the sshd binary in both cases.
> I'm considering also the option of a hacked/tampered sshd file.
It is possible, although that script would not have done it. Also, if the
sshd binary had been tampered with, there would have been little point to
the script, since the strings it searches for could just be printed by a
modified sshd.
That does not appear to be relevant to the script you presented; the script
just uses the string ssh_mpmzm_pow to locate two other strings, which
apparently have some constant offset relative to the location of
ssh_mpmzm_pow. To be honest, since I cannot reproduce whatever output you
are getting from that script, I cannot say for sure what it does, other than
that it searches the sshd binary for two ascii strings.
On 07/02/2011 03:32, Mr. B wrote:
> Ebenezer Scrooge wrote:
>
>> On 06/02/2011 16:36, Mr. B wrote:
>>> Ebenezer Scrooge wrote:
>>>
>>>> Found this shell script on a server:
>>>>
>>>> #!/bin/bash
>>>> # cracker ssh backdoor - by AppleJuice
>>>> if [ -f /usr/sbin/sshd ]; then
>>>> FILE=/usr/sbin/sshd
>>>> NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
>>>> '{print $1}'`
>>>> _SNF=`expr $NR + 1`
>>>> _PASS=`expr $NR + 2`
>>>> SNF=`strings $FILE | head -n $_SNF | tail -n 1`
>>>> PASS=`strings $FILE | head -n $_PASS | tail -n 1`
>>>> echo "first string: $SNF"
>>>> echo "second string: $PASS"
>>>> fi
>>>>
>>>>
>>>> The server was obviously hacked, but I don't understand how the script
>>>> came on the server and its usage and purpose
>>>
>>> Are you using openssh, or some other ssh server? Also, which version are
>>> you using? I cannot seem to find the string ssh_mpmzm_pow in the sshd
>>> executable on any of my systems, nor can I find it in the source code for
>>> openssh, nor in libssh*. Those systems are running Fedora; what is yours
>>> running?
>>
>> The distro was Debian Lenny, freshly upgraded some days ago. And yep, it
>> is OpenSSH.
>
> Which version of openssh? I checked versions 4.3 and 5.5, and as I said,
> the string ssh_mpmzm_pow was not present in the sshd binary in both cases.
>
>> I'm considering also the option of a hacked/tampered sshd file.
>
> It is possible, although that script would not have done it. Also, if the
> sshd binary had been tampered with, there would have been little point to
> the script, since the strings it searches for could just be printed by a
> modified sshd.
>
>> Found also this reference from another newsgroup, dunno if it's related:
>> http://cve.mitre.org/cgi-bin/cvename...=CVE-2007-3108
>
> That does not appear to be relevant to the script you presented; the script
> just uses the string ssh_mpmzm_pow to locate two other strings, which
> apparently have some constant offset relative to the location of
> ssh_mpmzm_pow. To be honest, since I cannot reproduce whatever output you
> are getting from that script, I cannot say for sure what it does, other than
> that it searches the sshd binary for two ascii strings.
The second string, when running the script, did point to a file
sshd.proc or something similar, anyway when i cat'd the file, i got a
list of ssh logins, along with respective users and passwords.
What's this? SSH hack? 
Linear Mode
