Malware detection, cleaning and prevention
Post Reply
John Dalton
Posts: 21
Joined: Sat Nov 04, 2006 11:53 am infected?

Post by John Dalton » Tue Oct 06, 2009 9:40 pm


This [1] article contains a list [2] of Linux machines that are allegedly infected with "dt_ssh5", an ssh brute force script. The domain "" appears in this list, and a ping tells me that there really is a machine at this address. Perhaps Exetel would like to contact the owner of this machine and tell them that they need to do a clean up? Apparently the script dt_ssh5 typically appears somewhere in the /tmp hierarchy (though that might be the least of their problems).

Addition: A reverse DNS lookup [3] says the IP address corresponds to the domain "4Digital.com.au".


[1] http://bsdly.blogspot.com/2009/10/third ... armed.html
[2] http://www.bsdly.net/~peter/sept30-brut ... -10-04.txt
[3] http://www.domaintools.com/reverse-ip/? ... 233.71.177

Volunteer Site Admin
Posts: 6021
Joined: Mon Nov 13, 2006 1:16 pm
Location: Sydney

Re: infected?

Post by Dazzled » Tue Oct 06, 2009 10:04 pm

This is one of those things you hear about but never actually see. If it's real, it's reputed to be a crude SSH dictionary attacker, associated with a corrupted Roundcube PHP mail server. Be careful where you get code from, particularly if you give it root access to the network.

Exetel Staff
Posts: 132
Joined: Fri Oct 05, 2007 8:52 am
Location: Sydney

Re: infected?

Post by lingg » Wed Oct 14, 2009 5:27 pm

Thank you John, I've informed this customer.

Post Reply