Security Incidents mailing list archives
Re: SSH probe attack afoot?
From: Steven Harrison <smharr4 () qwest net>
Date: Mon, 07 Feb 2005 13:15:29 -0800
Martin Sarsale wrote:
Everytime I got one of those scans Im courious about what are those clients (bots or hax0rs) using as passwords.
The lists of usernames and passwords are hard-coded in the application used for the brute-force attack. Seems a little inefficient, but it's easier to distribute and hide one file on a cracked system, than it is to hide the application file, a file of users and a file of passwords.
I have a link to the source code used on one of my webpages: http://smharr4.dnsalias.net/index.php/Ssh
Does it makes any sense to log the password they're using apart of satisfying my couriosity?
The passwords they try are known (they're in the code), but if you're curious then why not?
And: does ssh provides this kind of functionality? (I know it could be a security breach in case you type your root password in uppercase and it ends on your logs)
Not by default, you'd need to slightly modify the code for your openssh server. In my case, I amended the code to auth-passwd.c to log the password. From my source copy of openssh 3.9p1, lines 58 through 70:
/* * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ int auth_password(Authctxt *authctxt, const char *password) { logit("Password used: %s", password); struct passwd * pw = authctxt->pw; int ok = authctxt->valid; #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) static int expire_checked = 0; #endifThis will log every password, even yours - be careful where you log to and who gets to see them.
-- Steven Harrison Unix Systems Administrator 9 STOP statement, 0:1
Current thread:
- SSH probe attack afoot? Bernie Cosell (Feb 07)
- Re: SSH probe attack afoot? Martin Sarsale (Feb 07)
- Re: SSH probe attack afoot? Steve Bonds (Feb 07)
- Re: SSH probe attack afoot? Steven Harrison (Feb 07)
- Re: SSH probe attack afoot? xyberpix (Feb 07)
- Re: SSH probe attack afoot? Stephen Warren (Feb 08)
- Re: SSH probe attack afoot? j () 65535 com (Feb 08)
- Re: SSH probe attack afoot? Stephen Warren (Feb 08)
- Re: SSH probe attack afoot? Barrie Dempster (Feb 07)
- Re: SSH probe attack afoot? j lake (Feb 08)
- Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 12)
- Re: SSH probe attack afoot? Stephen J. Smoogen (Feb 12)
- Re: SSH probe attack afoot? Jeffrey Goldberg (Feb 16)
- <Possible follow-ups>
- Re: SSH probe attack afoot? Joe Egloff (Feb 07)
- Re: SSH probe attack afoot? naverxp (Feb 08)
(Thread continues...)
- Re: SSH probe attack afoot? Martin Sarsale (Feb 07)