#########################################################################
MENDETEKSI LOGIN SSH YANG MENGGUNAKAN MAGIC_PASSWD
Author : KillFinger
Email  : killfinger@yahoo.com
IRC    : #SecretColony, #Level9-Team @DAL.net
SecretColony Lab N Research Group.
#########################################################################

Just read n no comment ...

1. Login dengan magic passwd:

[kill@localhost project]$ ssh -l deMilo localhost
deMilo@localhost's password:
Last login: Thu Oct  15 11:51:04 2003 from localhost
[root@localhost deMilo]#

2. Perhatikan baik2 bagian ini:

[root@localhost deMilo]# ps awux
root     10320  0.0  0.5  2960 1352 ?        S    11:46   0:00 /usr/sbin/sshd
kill     11507  1.1  4.3 53120 11052 ?       S    13:01   0:01 xmms
kill     11557  0.1  0.5  2984 1476 pts/1    S    13:02   0:00 ssh -l deMilo localhost
root     11558  0.0  0.5  5556 1536 ?        S    13:02   0:00 sshd: deMilo [priv]
root     11561  0.0  0.6  5644 1644 ?        S    13:02   0:00 sshd:
root     11879  0.4  0.5  2600 1512 pts/2    S    13:19   0:00 -bash
kill     12206  2.2  0.5  2976 1468 pts/3    S    13:31   0:00 ssh -l john localhost
root     12207  0.6  0.6  5556 1556 ?        S    13:31   0:00 sshd: john [priv]
john     12209  0.0  0.6  5644 1656 ?        S    13:31   0:00 [sshd]
john     12212  2.6  0.5  2600 1512 pts/5    S    13:31   0:00 -bash
kill     12722  0.0  0.5  2976 1468 pts/4    S    14:09   0:00 ssh -l root localhost
root     12723  0.0  0.6  5564 1580 ?        S    14:09   0:00 sshd: root@pts/6
root     12728  0.0  0.5  2604 1516 pts/6    S    14:09   0:00 -bash

Penjelasan bagian atas;

-- Seorang user login dengan login_name """deMilo" menggunakan magic passwd, otomatis akan menjadi root:

root     11558  0.0  0.5  5556 1536 ?        S    13:02   0:00 sshd: deMilo [priv]
root     11561  0.0  0.6  5644 1644 ?        S    13:02   0:00 sshd:
root     11879  0.4  0.5  2600 1512 pts/2    S    13:19   0:00 -bash

-- Seorang user login dengan login_name """john" menggunakan passwd nya sendiri (valid passwd):

root     12207  0.6  0.6  5556 1556 ?        S    13:31   0:00 sshd: john [priv]
john     12209  0.0  0.6  5644 1656 ?        S    13:31   0:00 [sshd]
john     12212  2.6  0.5  2600 1512 pts/5    S    13:31   0:00 -bash

-- sytem sshd anda telah di infeksikan maaagic-passwd apabila tiap user yang login nampak bagian sbb:

root     11558  0.0  0.5  5556 1536 ?        S    13:02   0:00 sshd: login_name [priv]
root     11561  0.0  0.6  5644 1644 ?        S    13:02   0:00 sshd: 

-- system yang normal (tidak terinfeksi):::

root     12207  0.0  0.5  5556 1536 ?        S    13:31   0:00 /usr/sbin/sshd
john     12209  0.0  0.6  5644 1656 ?        S    13:31   0:00 [sshd]  <-- dengan tanda kurung apabila user

-- apabila root yang login dengan valid pppasswd:

root     12723  0.0  0.6  5564 1580 ?        S    14:09   0:00 sshd: root@pts/6 <-- root dgn valid passwd akan tampak begini
root     12728  0.0  0.5  2604 1516 pts/6    S    14:09   0:00 -bash


3. Login dengan login_name "apache" menggunakan magic passwd:

[kill@localhost project]$ ssh -l apache localhost
apache@localhost's password:
-sh-2.05b# id
uid=0(root) gid=0(root) groups=0(root)
-sh-2.05b# pwd
/var/www
-sh-2.05b#

4. Terlihat tanda2nya:

[kill@localhost project]$ ps awux
kill     11861  1.2  4.1 53248 10720 ?       S    13:18   0:01 xmms
kill     11931  0.5  0.5  2984 1476 pts/4    S    13:20   0:00 ssh -l apache localhost
root     11932  0.0  0.5  5556 1536 ?        S    13:20   0:00 sshd: apache [priv]
root     11934  0.0  0.6  5644 1644 ?        S    13:20   0:00 sshd:
root     11937  0.2  0.5  2600 1516 pts/2    S    13:20   0:00 -sh
kill     11967  0.0  0.2  2580  760 pts/1    R    13:20   0:00 ps awux

Kesimpulan:
Semua valid passwd yang login di log di suatu tempat apabila ada "sshd:". Atau dengan kata lain, apabila anda menemukan "sshd:"
di command "ps awux" artinya system anda telah terinfeksi "magic_passwd".
ExpLorE y0uR 0wN sYstEm.
B-Creative!!!!

5. Penutup

Keep this Open-Source spirit up. This system is aLL about binary, if you are NOT 1 then you are 0. Knowledge is belong to
the world, share it. Kritik, saran dan caci maki silahkan kirim ke killfinger@yahoo.com.

Online BUddiEs:
A_BlAcK_LisT, Acetosal, jhon angga, ryan_the, ucoxxx, AcCezZdENieD dan KIDS_KIDS. Special buat teman2 yang
tidak bisa disebutkan satu persatu di #SecretColony, #Level9-Team @t DAL.Net.

Offline d00d:
t0t0 at jasakom (kapan nge-band lagi?), erich, d0nny, edd0, din0 at SecretColony Labs n Research Group, /bsp/mnt, y0gas.

-----------------------
To follow the path;
look to the master,
follow the master,
walk with the master,
see through the master,
become the master.
-----------------------
Hacking is NOT instant.

Best Regs

KillFinger