After looking around a bit more (should have researched a bit before posting), the second sshf that currently resides at frauder.us is infected with RST-variant.
More info at: http://www.lockeddown.net/rst-expl.txt Bill -----Original Message----- From: Bill Roemhild Sent: Sunday, August 15, 2004 1:58 AM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Automated SSH login attempts? Ohh great.. two different versions floating around. Not sure where I got the first one, but the second was from frauder.us. -rwxr-xr-x 1 root root 1365263 Jul 12 11:10 sshf1* -rwxr-xr-x 1 root root 1369359 Aug 1 19:24 sshf2* [EMAIL PROTECTED]:/usr/local/src/ssh/show# strings sshf1 > sshf1.strings [EMAIL PROTECTED]:/usr/local/src/ssh/show# strings sshf2 > sshf2.strings [EMAIL PROTECTED]:/usr/local/src/ssh/show# diff sshf1.strings sshf2.strings 4402a4403,4466 > SQRVW > _^ZY[ > SQR1 > SQRV > H^ZY[ > SQRVW > _^ZY[ > _^ZY[ > QSP1 > QSP1 > QSP1 > QSP1 > RQSP1 > X[YZ > RQSP1 > X[YZ > QSP1 > SQRV1 > ^ZY[ > /dev/hdx > SQRVW > ZY[= > ZY[= > _^ZY[ > SQRVW > Y[_^ZY[ > ZY[= > [SQRVW > tBSQR > ZY[= > ZY[= > [X_^ZY[ > DOM` > /bin/sh > xxxxyyyyzzzz > Y[XXXXXX > GET /~telcom69/gov.php HTTP/1.0 > ppp0 > eth0 > h/bin > PSQRVWP > [X_^ZY[X > SQRVWS > ZY[= > ZY[f > ZY[= > ZY[= > fAf;NH > ZY[= > YQSQR > ZY[= > ZY[= > ZY[fAf;NLr > ZY[= > ZY[= > F4SQR > ZY[= > [X_^ZY[ > ZY[= > _WSQR > ZY[SQR > snortdos > tory > /lib/ld-linux.so.2 Bill _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
