Full Disclosure mailing list archives

Re: Automated SSH login attempts?

From: Stefan Janecek <stefan.janecek () jku at>
Date: Fri, 30 Jul 2004 21:20:14 +0200

On Fri, 2004-07-30 at 13:51, Jan Muenther wrote:

Now, if anybody could jump through the hoop and send me the thing or make it
publicly available... all these things are musings, 'it looks as if...' and 'it
seems like...' are not exactly results of an analysis.


Agreed. The thing *is* publicly available, just do 'wget
frauder.us/linux/ssh.tgz'. What kept me from disassembling the thing so
far is not availability, but lacking knowledge about the ssh protocol on
my side ;-)


Just tracing tcpdump's output is definitely insufficient. 
If the tool just sends normal TCP packets, then why does it need root rights, 
which you typically only require for raw sockets to build packets which can't
be constructed with SOCK_STREAM or SOCK_DGRAM?


The tool itself dos not need root rights. What needs to be root is the
portscanner accompanying it.

I hope you don't run it on your production boxes in the normal userland - ever
considered the fact it might contain an ELF infector or something?
Now, if I wanted to deploy malware on a Linux box, I'd just come up with a 
mysterious looking tool and let that infect the machines of people who just
run anything they can get a hold of. It's Linux, after all, right? No viruses,
right?


hehe. According to a brief look at the strace of this thingy, it does
not do anything suspicious on the local box. But maybe I should have a
second look - who knows?

Do I take it that these things are just trying to log in using some 
guessed password(s) ? Out of interest, do we have any idea what these 
opportunistic passwords might be ?


At least two of them are guest:guest and test:test. I'd guess that 
root:root and admin@admin are on the list too :-)


This things needs to be disassembled, debugged and traced. All else is just
whistling in the dark. Meh.


Right. And somebody volunteered for this job right now, did you? ;-)

cheers,
Stefan


Cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Re: Automated SSH login attempts?, (continued)
- Re: Automated SSH login attempts? Shafik Yaghmour (Jul 26)
- Re: Automated SSH login attempts? Alain Crespo (Jul 28)
- Re: Automated SSH login attempts? syrrus (Jul 25)
- Re: Automated SSH login attempts? Joe Hickory (Jul 27)
- Re: Automated SSH login attempts? Juan Carlos Navea (Jul 29)
  - RE: Automated SSH login attempts? Todd Towles (Jul 29)
  - Re: Automated SSH login attempts? Ali Campbell (Jul 29)
    - Re: Automated SSH login attempts? Andrew Farmer (Jul 29)
    - Re: Automated SSH login attempts? Jan Muenther (Jul 30)
    - RE: Automated SSH login attempts? Todd Towles (Jul 30)
    - Re: Automated SSH login attempts? Stefan Janecek (Jul 30)
    - Re: Automated SSH login attempts? Jan Muenther (Jul 31)
    - Re: Automated SSH login attempts? Andrew Farmer (Jul 30)
    - Re: Automated SSH login attempts? Christian Fromme (Jul 30)
- Re: Automated SSH login attempts? Stefan Janecek (Jul 29)
  - Re: Re: Automated SSH login attempts? Valdis . Kletnieks (Jul 29)
    - Re: Re: Automated SSH login attempts? Jan Muenther (Jul 30)
  - Re: Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 29)
    - Re: Re: Automated SSH login attempts? Max Valdez (Jul 29)
    - Re: Re: Automated SSH login attempts? dmargoli (Jul 29)
    - Re: Re: Automated SSH login attempts? Ron DuFresne (Jul 29)

(Thread continues...)