[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040729060545.GC5152@bumboclaat.ebat.org>
From: jethro at docisland.org (Jerome)
Subject: about the automated ssh login attempts
Hi list,
setting up a honeypot, I was able to identify some of the activity
associated with these login attempts.
after the honeypot's been probed for guest and test login, I had someone
login as test and fetch some tools from websites to use them on the
honeypot.
tools were fetched from some .ro website as per .bash_history and
captured keystrokes.
the toolkit I had the opportunity to have downloaded by the kid on the
honeypot was made of a bunch of components:
- ss : a copy of the "very fast" syn scanner by haitateam published
latetly, at least on packetstorm
- haita: apparently the tool used to bruteforce accounts
strings -a haita | grep SSH
SSH login bruteforcer by HaitaTeam
*tho* guest and test accounts seem hardcoded, so unless they fix
that, it's not gonna be a big threat for all of the other joes
accounts around.
and the final part:
- scan.sh: which is the kiddie's best friend for using these 2 tools
altogether:
#!/bin/sh
if [ $# != 1 ]
then
echo "Se da asa:"
echo "$0 <clasa b>"
echo "Exemplu:"
echo "$0 212.93"
echo "Daca nu prindeti ... verificati in fisieru \
asta sa fie pusa placa de retea care trebe adika \
eth0, eth1, ppp0 etc "
exit
fi
rm -f bios.txt vuln.txt uniq.txt
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > uniq.txt
./haita
I also had some other toolkits on the honeypot after the breakin, most
of them being local root exploits packed in a single archive, and some
massrooter for years old remote vulnerabilities, but we all know them.
I can provide with the bins if anyone's interested, but didn't bother
yet to place them on some website, feel free to email.
cheers,
--
Jerome
[pgp keyid : 33D7802F http://pgp.mit.edu]
[key fingerprint : 82E6 C9C8 05D1 BEAC 9353 8ECB CEAF 6A0A 33D7 802F]
Powered by blists - more mailing lists