Educause Security Discussion mailing list archives
Re: dictionary attacks against root
From: Eric Pancer <epancer () SECURITY DEPAUL EDU>
Date: Sun, 22 Aug 2004 00:00:00 GMT
I thought we were keeping that channel private :-) I'm actually away from keyboard today, for once! -----Original Message----- From: Dave Monnier <dmonnier () IU EDU> Date: Sun, 22 Aug 2004 13:11:29 To:SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] dictionary attacks against root -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Members of the UNISOG IRC group have been following this for a month or so. Groups at Indiana University, Depaul University, University of Minnesota, and Kansas State University have all done analysis of the scanners and tools. Since our first look at the code, on July 21st, we've now seen at least four variants of the attack. Initially the process was as follows: 1. Attacking host, using a port scanner, looks for open sshd ports. This scan appeared to cover the entire public internet. 2. Once this piece of software found an open sshd, it would hand the IP to another piece of code. This was a specially written ssh client designed to attempt three login/password combinations, test, guest, and admin. Some small percentage of hosts on the internet were successfully accessed using this method. On success, this code would record the IP and account for later use. 3. Using the list of successful logins, attackers would then manually access the system. Forensic analysis of the intrusions showed that this step was done manually as there were typos in the shell history and inconsistency in method across hosts. Once inside the attackers would grab a local system exploit (a few of the Linux kernel exploits published in the last year), escalate their privileges, and install a root kit (In almost all cases Suckit was used). Once root access was attained, the attackers would then pull down their tools and start over the same process from there as well as setup an IRC bot to connect to the Undernet IRC network. On systems where the escalation was unsuccessful, the attacks would use the host only as an IRC proxy or bot as their scanning code seems to require privileged access to work. On July 28th, following the initial analysis by Indiana University and Kansas State University, I contacted the Undernet security team about the use of their network in the attacks. They responded and began working on it by the 29th. On or around August 1st we began to see the addition of "root" to the attack, followed shortly by 30 or so additional logins. These additional logins included many standard accounts found of Linux systems like "qmail", "oracle", and "nobody". Bringing the variant count to three. On Thursday, August 19th, the University of Minnesota reported having analyzed the fourth variant. This code included more than 2000 passwords for the user "root". Essentially this attack preys on weak systems. All of the attacks are based on either weak authorization (open to the world sshd) or weak authentication (simple passwords). Judging by the scale of the scanning seen across the internet, it's apparent that it is effective to some extent though. SANS also had an analysis of the scanning. http://isc.sans.org/diary.php?date=2004-07-28 http://lists.sans.org/pipermail/list/2004-July/061219.html Cheers, - -Dave - -- | Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ | | Lead Security Engineer, Information Technology Security Office | | Office of the VP for Information Technology, Indiana University | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBKOHRBIf6jlONJjIRAr/ZAKCSMG92rAGkliOTf7TRLIQudJ4dRwCbBqHk zBJ8qRXE8QFL0K9gTR1+Upc= =Tpnq -----END PGP SIGNATURE----- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: dictionary attacks against root Eric Pancer (Aug 21)
- <Possible follow-ups>
- dictionary attacks against root dodpears (Aug 22)
- Re: dictionary attacks against root Dave Monnier (Aug 22)