lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000201c475ac$908b27c0$fc11010a@msad.brookshires.net>
From: toddtowles at brookshires.com (Todd Towles)
Subject: Automated SSH login attempts?

Hey Juan, hopefully you don't have the test user on your ssh server anymore.
You just gave the IP address, port and username =)

-Todd

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Juan Carlos
Navea
Sent: Thursday, July 29, 2004 8:38 AM
To: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Automated SSH login attempts?

One of the boxes at work actually got rooted through a successful
attempt at the account test. They later proceeded to get root through
a local exploit. This box was badly unpdated.

log entries..

Jul 12 22:26:51 server sshd[12868]: Accepted password for test from
130.15.15.239 port 1954 ssh2
Jul 12 22:42:35 server sshd[13998]: Accepted password for test from
216.55.164.10 port 56454 ssh2

...

These were followed by more attempts at users test/guest/admin/root

Our ISP shut us down as some other admins reported that this box was
now attempting brute force logins on other boxes within the same
network space. This actually included one of our other boxes which
luckly was not rooted.

Anyways, once we managed to bring our box back up we noticed that
after the successful login, it proceeded to install a rootkit. In this
case we detected SuckIt.

After various attempts, we were able to remove SuckIt:

[root@...ver .sk12]# ./sk u
/dev/null
Detected version: 1.3b
Suckit uninstalled sucesfully!

As usual for this rootkit, it had installed an exploited sshd , a
password sniffer and infected initd and telinetd.

More info on sk:
>www.phrack.org/show.php?p=58&a=7

Up to this day, we get atleast 10 brute force attempts a day on most
of our boxes.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ