1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Alex Schultz wrote: |
5 |
|
6 |
| I'm not 100% sure, but after a quick look it appears that sshf opens up |
7 |
| the uniq.txt and then procedes to connect to every ip using test:test or |
8 |
| guest:guest. It then dumps out which of those accounts:ip worked to |
9 |
| vuln.txt. Then a person can just go through the vuln.txt and ssh and |
10 |
| perform whatever rooting they so choose. |
11 |
| |
12 |
| I wonder what the "ss" program does. It's got libpcap compiled into it |
13 |
| so maybe it's some sort of sniffer and/or ip generator (creates |
14 |
bios.txt?). |
15 |
|
16 |
I believe it's a portscanner. You give it a range with -b and it sends |
17 |
SYN packets (if I remember right...) in a simple scan of whatever port |
18 |
you specified (22). That's why the shell script first does that, then |
19 |
uses the results from that with sshf (first see if they run sshd, then |
20 |
see if test:test or guest:guest works, then log in and drop a rootkit). |
21 |
|
22 |
A poster on full disclosure claims to recognize it as a common portscanner. |
23 |
|
24 |
- -- |
25 |
Dan ("KrispyKringle") |
26 |
Gentoo Linux Security Coordinator |
27 |
-----BEGIN PGP SIGNATURE----- |
28 |
Version: GnuPG v1.2.4 (Darwin) |
29 |
|
30 |
iQEVAwUBQQl7FbDO2aFJ9pv2AQIXqAf+MoyssrpiqorrNoBLyZ+cQEEbkWJaiWQp |
31 |
cn1sTYqiPpWy+2VUG/lENQwsM7c2G5cx8sYWHejMly+RARKnGJo7EEQbmcO2Eu75 |
32 |
SHA/1donqQhzJl9yUY0oYIK/s7KbbG2Xh04mQJiTn77ZT/F3mJoKqQaDaMqdn4rH |
33 |
vdM2wSTVVVtUDZuczjPxTsDJnZ++qEmFudwIuDbUjXjX4h2u3tFcqsiA8gIFQU8N |
34 |
grLRAkG7NCXy1oaoLxuQpAfBAdqGyXmb97aBh7421nidkf1H8jlFMUUqu023fAlX |
35 |
/DhyitNq7AVW/JbBHpAE+bv4orix0EXcJn7R44F5fzJHo38ljGmurQ== |
36 |
=Z6Ud |
37 |
-----END PGP SIGNATURE----- |
38 |
|
39 |
-- |
40 |
gentoo-security@g.o mailing list |