[scg-sec] FreeBSD exploit?

Paul Goyette pgoyette at juniper.net
Fri Mar 4 13:04:19 EST 2005 

Thanks, Don!

I am having the compromised Route Engine sent to me for
analysis.  Customer will install a clean-from-factory
replacement.

-----Original Message-----
From: Smith, Donald [mailto:Donald.Smith at qwest.com]
Sent: Friday, March 04, 2005 9:55 AM
To: Paul Goyette; Skitter List
Subject: RE: [scg-sec] FreeBSD exploit?


Yes your seeing this exploit.
http://www.k-otik.com/exploits/08202004.brutessh2.c.php
Its a ssh bruteforce guessing tool. It guesses thousands of password mostly
root and admin.
It is usually installed AFTER someone gains access using bruteforce ssh
password guessing along with a ROOT KIT!
Every compromised system I have seen had the root kit but I have not seen a
juniper router compromised by this so I don't know if they have a root kit
for your system. It seems a root kit for freebsd would work.
They usually have trojaned binaries and hide files using simple ... methods.
uniq.txt is the set of systems it has scanned and found open. It has OR will
attempt to bruteforce each of those systems.
Pscan is just a synscanning tool. Nothing fancy or special.
sshf is the bruteforce tool it relies on something ELSE to do the scanning
and create the uniq.txt file.
If you need help with this let me know I have examined a few systems with it
before:)


donald.smith at qwest.com giac

________________________________

From: scg-sec-bounces at puck.nether.net on behalf of Paul Goyette
Sent: Fri 3/4/2005 10:31 AM
To: Skitter List
Subject: [scg-sec] FreeBSD exploit?



OK, so one of our customers found some weird stuff on a M-series
router while investigating the reasons for the box continually
crashing.  In addition to the stuff in the following directory,
it looks like the box was running an IRC server and a mail proxy.

Does any of this look familiar to anyone?  I'm guessing we got
compromised by poor passwords, but still not sure until I can
poke aound the box myself.

/var/tmp/nesshbf/:
total 3620
-rw-r--r--  1 root  wheel          0 Feb 21 18:27 217.61.pscan.22
-rw-r--r--  1 root  wheel         38 Feb 21 06:30 log.bigsshf
-rw-r--r--  1 root  wheel          0 Feb 20 15:06 overnight.txt
-rwx------  1 root  wheel      21407 Feb 15 00:31 pscan2*
-rwx------  1 root  wheel     453972 Feb 15 00:31 ss*
-rwxr-xr-x  1 root  wheel    1347413 Feb 15 00:31 sshf*
-rwxr-xr-x  1 root  wheel        758 Feb 20 15:42 sshmass2*
-rw-r--r--  1 root  wheel         14 Feb 21 06:30 uniq.txt

_______________________________________________
scg-sec mailing list
scg-sec at puck.nether.net
https://puck.nether.net/mailman/listinfo/scg-sec

More information about the scg-sec mailing list