Page 1 of 1 infected?

Posted: Tue Oct 06, 2009 9:40 pm
by John Dalton

This [1] article contains a list [2] of Linux machines that are allegedly infected with "dt_ssh5", an ssh brute force script. The domain "" appears in this list, and a ping tells me that there really is a machine at this address. Perhaps Exetel would like to contact the owner of this machine and tell them that they need to do a clean up? Apparently the script dt_ssh5 typically appears somewhere in the /tmp hierarchy (though that might be the least of their problems).

Addition: A reverse DNS lookup [3] says the IP address corresponds to the domain "".


[1] ... armed.html
[2] ... -10-04.txt
[3] ... 233.71.177

Re: infected?

Posted: Tue Oct 06, 2009 10:04 pm
by Dazzled
This is one of those things you hear about but never actually see. If it's real, it's reputed to be a crude SSH dictionary attacker, associated with a corrupted Roundcube PHP mail server. Be careful where you get code from, particularly if you give it root access to the network.

Re: infected?

Posted: Wed Oct 14, 2009 5:27 pm
by lingg
Thank you John, I've informed this customer.