[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1091215212.1593.13.camel@localhost>
From: stefan.janecek at jku.at (Stefan Janecek)
Subject: Automated SSH login attempts?
On Fri, 2004-07-30 at 13:51, Jan Muenther wrote:
> Now, if anybody could jump through the hoop and send me the thing or make it
> publicly available... all these things are musings, 'it looks as if...' and 'it
> seems like...' are not exactly results of an analysis.
Agreed. The thing *is* publicly available, just do 'wget
frauder.us/linux/ssh.tgz'. What kept me from disassembling the thing so
far is not availability, but lacking knowledge about the ssh protocol on
my side ;-)
>
> Just tracing tcpdump's output is definitely insufficient.
> If the tool just sends normal TCP packets, then why does it need root rights,
> which you typically only require for raw sockets to build packets which can't
> be constructed with SOCK_STREAM or SOCK_DGRAM?
>
The tool itself dos not need root rights. What needs to be root is the
portscanner accompanying it.
> I hope you don't run it on your production boxes in the normal userland - ever
> considered the fact it might contain an ELF infector or something?
> Now, if I wanted to deploy malware on a Linux box, I'd just come up with a
> mysterious looking tool and let that infect the machines of people who just
> run anything they can get a hold of. It's Linux, after all, right? No viruses,
> right?
hehe. According to a brief look at the strace of this thingy, it does
not do anything suspicious on the local box. But maybe I should have a
second look - who knows?
>
> > >Do I take it that these things are just trying to log in using some
> > >guessed password(s) ? Out of interest, do we have any idea what these
> > >opportunistic passwords might be ?
> >
> > At least two of them are guest:guest and test:test. I'd guess that
> > root:root and admin@...in are on the list too :-)
>
> This things needs to be disassembled, debugged and traced. All else is just
> whistling in the dark. Meh.
Right. And somebody volunteered for this job right now, did you? ;-)
cheers,
Stefan
>
> Cheers, J.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists