Full Disclosure mailing list archives
RE: Automated SSH login attempts?
From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 29 Jul 2004 15:42:29 -0500
Hey Juan, hopefully you don't have the test user on your ssh server anymore. You just gave the IP address, port and username =) -Todd -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Juan Carlos Navea Sent: Thursday, July 29, 2004 8:38 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Automated SSH login attempts? One of the boxes at work actually got rooted through a successful attempt at the account test. They later proceeded to get root through a local exploit. This box was badly unpdated. log entries.. Jul 12 22:26:51 server sshd[12868]: Accepted password for test from 130.15.15.239 port 1954 ssh2 Jul 12 22:42:35 server sshd[13998]: Accepted password for test from 216.55.164.10 port 56454 ssh2 ... These were followed by more attempts at users test/guest/admin/root Our ISP shut us down as some other admins reported that this box was now attempting brute force logins on other boxes within the same network space. This actually included one of our other boxes which luckly was not rooted. Anyways, once we managed to bring our box back up we noticed that after the successful login, it proceeded to install a rootkit. In this case we detected SuckIt. After various attempts, we were able to remove SuckIt: [root@server .sk12]# ./sk u /dev/null Detected version: 1.3b Suckit uninstalled sucesfully! As usual for this rootkit, it had installed an exploited sshd , a password sniffer and infected initd and telinetd. More info on sk:
www.phrack.org/show.php?p=58&a=7
Up to this day, we get atleast 10 brute force attempts a day on most of our boxes. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Automated SSH login attempts?, (continued)
- Re: Automated SSH login attempts? Paul Mohr (Jul 25)
- Re: Automated SSH login attempts? Paul Schmehl (Jul 25)
- Re: [VulnDiscuss] Re: Automated SSH login attempts? RBabb (Jul 27)
- Re: [VulnDiscuss] Re: Automated SSH login attempts? Paul Schmehl (Jul 27)
- Re: [VulnDiscuss] Re: Automated SSH login attempts? RBabb (Jul 27)
- Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 25)
- Re: Automated SSH login attempts? Shafik Yaghmour (Jul 26)
- Re: Automated SSH login attempts? Alain Crespo (Jul 28)
- Re: Automated SSH login attempts? syrrus (Jul 25)
- Re: Automated SSH login attempts? Joe Hickory (Jul 27)
- Re: Automated SSH login attempts? Juan Carlos Navea (Jul 29)
- RE: Automated SSH login attempts? Todd Towles (Jul 29)
- Re: Automated SSH login attempts? Ali Campbell (Jul 29)
- Re: Automated SSH login attempts? Andrew Farmer (Jul 29)
- Re: Automated SSH login attempts? Jan Muenther (Jul 30)
- RE: Automated SSH login attempts? Todd Towles (Jul 30)
- Re: Automated SSH login attempts? Stefan Janecek (Jul 30)
- Re: Automated SSH login attempts? Jan Muenther (Jul 31)
- Re: Automated SSH login attempts? Andrew Farmer (Jul 30)
- Re: Automated SSH login attempts? Christian Fromme (Jul 30)
- Re: Re: Automated SSH login attempts? Valdis . Kletnieks (Jul 29)