openssh Port24 New Trojaner ?
Hi list My hosting Partner is telling me that my Server is hacked. It shout be an problem with an wrong version of openssh and an trojaner will be installed on port 24. No more information Now I have checked my Server, but there is nothing. I'm using the version openssh 3.5p1 (Suse 8.2) Does somebody knows something about this trojaner ? nmap -sS 217.*.*.* Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Interesting ports on (217.*.*.*): (The 1542 ports scanned but not shown below are in state: filtered) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 113/tcp closed auth 443/tcp closed https #################################################### Thanks for helping Lars
Hi Lars,
It shout be an problem with an wrong version of openssh and an trojaner will be installed on port 24. No more information
Now I have checked my Server, but there is nothing.
I'm using the version openssh 3.5p1 (Suse 8.2)
Does somebody knows something about this trojaner ?
nmap -sS 217.*.*.*
--> You did run this command from a guaranteed not-infected system ? If you run it from your host, the trojan may have replaced the nmap binary (same applies to other tools like lsof, netstat, ps, ls, ...) Just my 2 cents, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Hi,
My hosting Partner is telling me that my Server is hacked.
So you're a server4free customer ;)
It shout be an problem with an wrong version of openssh and an trojaner will be installed on port 24. No more information
Thats a false positive, i know they send the 'information' email to all pll instead of that ones who really have the trojan. AFAIK it occoured on their default install of suse 7.2 where openssh is REALLY out of date. so if you've updated your server frequently you can cool down. To be sure check your server with chkrootkit (www.chkrootkit.org).
Now I have checked my Server, but there is nothing.
like i said, false positives..
I'm using the version openssh 3.5p1 (Suse 8.2)
if you use YOU/fou4s, then it should be fine...
Does somebody knows something about this trojaner ?
dunno exactly which trojan it is, afaik it's a rootkit (adore) with a few scripts (shells etc.) to feel happy on every box ;) HTH, Sven Michels
participants (3)
-
Armin Schoech
-
Lars Vaessen
-
Sven 'Darkman' Michels