[8582] in bugtraq
Comments on the sshdwarez "exploit"
daemon@ATHENA.MIT.EDU (Tatu Ylonen)
Tue Nov 17 11:30:48 1998
Date: Tue, 17 Nov 1998 17:51:25 +0200
Reply-To: Tatu Ylonen <ylo@SSH.FI>
From: Tatu Ylonen <ylo@SSH.FI>
X-To: ssh@clinet.fi
To: BUGTRAQ@NETSPACE.ORG
-----BEGIN PGP SIGNED MESSAGE-----
As several people have already noted, the "sshdwarez" or "sshdexp"
trojan posted on bugtraq actually has nothing to do with SSH. It does
not exploit any vulnerability in any version of SSH. Instead, it is
simply a program that, if run as root, adds two new entries in
/etc/passwd and sends mail back to the hacker's account at
hotmail.com.
No action is required from SSH users.
Just do not run the sshdwarez trojan. If you have already run it,
check your /etc/passwd file to make sure there are no extra entries.
In fact, it may be a good idea to check your passwd files anyway; the
accounts created by this particular trojan can be found by:
grep babo: /etc/passwd
grep b4b0: /etc/passwd
For more information, please check http://www.ssh.fi/sshprotocols2/.
Regards,
Tatu
- --
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ipsec.com/
Free Unix SSH http://www.ssh.fi/sshprotocols2/
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBNlGa+6kZxfGWH0o1AQG0pQP/TudMyud5+1RlBe4d7PxAC74NMm3ALe65
7s1DBr61zFeZsp9ss8A3loJW4lqh2TFZKSYOm3jZK1kfUsGTcgPgP56E8WgZxvaV
ULkJ9jy0xqRqq4i8SJUex0dlZbBaeacqJhWpGlePYSVlwAd5Vsnw5W5MUZIvcHlX
yUCY2xeA2M4=
=hx0k
-----END PGP SIGNATURE-----
