Wednesday, July 8, 2009

OpenSSH 0day ?

Rumors are flying of an underground openssh exploit. After some digging we find the tool name and its group:

“./0pen0wn” or “./0penPWN” by the hacker group called “anti-sec.” Check the commands below:

anti-sec:~/pwn/xpl# ./openPWN -h 66.96.220.213 -p 2222 -l=users.txt
[+] openPWN - anti-sec group
[+] Target: 66.96.220.213
[+] SSH Port: 2222
[+] List: users.txt

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]


and:


anti-sec: ~ / pwn / xpl # ./0pen0wn-h 66.197.143.133-p 22
[+] 0wn0wn – anti-sec group [+] 0wn0wn - anti-sec group
[+] Target: 66.197.143.133 [+] Target: 66.197.143.133
[+] SSH Port: 22 [+] SSH Port: 22
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]


Two attack logs exist on the net with this supposed exploit, both by this group. The first is an attack on an Astalavista Admin:

http://romeo.copyandpaste.info/txt/nowayout.txt

The second attack is the one the Internet Storm Center blogged on which can be seen in its entirety here:

http://tinyurl.com/l8tzba

and a Russian site has a play by play of the attack here:

http://tinyurl.com/m7cqdh

There is also another attack posted to the Full Disclosure list that seems to be the same tool:
http://seclists.org/fulldisclosure/2009/Jul/0028.html

See More Info Here

No comments: