lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: stefan.janecek at jku.at (Stefan Janecek)
Subject: Automated SSH login attempts?

On Fri, 2004-07-30 at 13:51, Jan Muenther wrote:
> Now, if anybody could jump through the hoop and send me the thing or make it
> publicly available... all these things are musings, 'it looks as if...' and 'it
> seems like...' are not exactly results of an analysis.

Agreed. The thing *is* publicly available, just do 'wget
frauder.us/linux/ssh.tgz'. What kept me from disassembling the thing so
far is not availability, but lacking knowledge about the ssh protocol on
my side ;-)
 
> 
> Just tracing tcpdump's output is definitely insufficient. 
> If the tool just sends normal TCP packets, then why does it need root rights, 
> which you typically only require for raw sockets to build packets which can't
> be constructed with SOCK_STREAM or SOCK_DGRAM?
> 

The tool itself dos not need root rights. What needs to be root is the
portscanner accompanying it.

> I hope you don't run it on your production boxes in the normal userland - ever
> considered the fact it might contain an ELF infector or something?
> Now, if I wanted to deploy malware on a Linux box, I'd just come up with a 
> mysterious looking tool and let that infect the machines of people who just
> run anything they can get a hold of. It's Linux, after all, right? No viruses,
> right?

hehe. According to a brief look at the strace of this thingy, it does
not do anything suspicious on the local box. But maybe I should have a
second look - who knows? 

> 
> > >Do I take it that these things are just trying to log in using some 
> > >guessed password(s) ? Out of interest, do we have any idea what these 
> > >opportunistic passwords might be ?
> > 
> > At least two of them are guest:guest and test:test. I'd guess that 
> > root:root and admin@...in are on the list too :-)
> 
> This things needs to be disassembled, debugged and traced. All else is just
> whistling in the dark. Meh. 

Right. And somebody volunteered for this job right now, did you? ;-)

cheers,
Stefan

> 
> Cheers, J.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ