lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <004b01c47634$2fed14e0$fc11010a@msad.brookshires.net>
From: toddtowles at brookshires.com (Todd Towles)
Subject: Automated SSH login attempts?

Jan is right - looking at the code might be the only way to know what is
really happening.

We all await your disassembled, debugged and traced code analysis, Jan. =)

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Jan Muenther
Sent: Friday, July 30, 2004 6:52 AM
To: Andrew Farmer
Cc: Ali Campbell; full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Automated SSH login attempts?


Now, if anybody could jump through the hoop and send me the thing or make it
publicly available... all these things are musings, 'it looks as if...' and
'it
seems like...' are not exactly results of an analysis. 

Just tracing tcpdump's output is definitely insufficient. 
If the tool just sends normal TCP packets, then why does it need root
rights, 
which you typically only require for raw sockets to build packets which
can't
be constructed with SOCK_STREAM or SOCK_DGRAM?

I hope you don't run it on your production boxes in the normal userland -
ever
considered the fact it might contain an ELF infector or something?
Now, if I wanted to deploy malware on a Linux box, I'd just come up with a 
mysterious looking tool and let that infect the machines of people who just
run anything they can get a hold of. It's Linux, after all, right? No
viruses,
right?

> >Do I take it that these things are just trying to log in using some 
> >guessed password(s) ? Out of interest, do we have any idea what these 
> >opportunistic passwords might be ?
> 
> At least two of them are guest:guest and test:test. I'd guess that 
> root:root and admin@...in are on the list too :-)

This things needs to be disassembled, debugged and traced. All else is just
whistling in the dark. Meh. 

Cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ