Full Disclosure mailing list archives
Re: Automated ssh scanning
From: Tremaine <tremaine () gmail com>
Date: Thu, 26 Aug 2004 10:34:09 -0600
On Thu, 26 Aug 2004 09:08:15 -0500 (CDT), Ron DuFresne <dufresne () winternet com> wrote:
the real thing this user most likely suffered from was the weak account passwd double, guest:guest. Now, if the admin and other account were setup with strong passwd's and this account was either setup with a strong passwd or not setup at all might be a better test of the stability of ssh and the debain setup in question. Thanks, Ron DuFresne On Thu, 26 Aug 2004, Tig wrote:On Wed, 25 Aug 2004 19:43:47 -0400 Gerry Eisenhaur <GEisenhaur () Cisco com> wrote:I am confused, you said you knew about some SSH scanning going on, then set up those accounts on a box. Now you are curious way that box got rooted? Maybe I am missing something, but it seems you already have a pretty good assumption of why it got rooted. The software, as you seem to know, is a few exploits, a backdoor and some IRC stuff(bot and proxy). /gerryI think you did miss the point (which was a very good one). Basically, once you have unprivileged access to a currently patched Woody box, you can quickly gain root access. I would love to see this tested against other version of Linux and *BSD with default (and updated) installations. Anyone have a spare box and a few hours? -Tig _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
Hi there Ron, It appears you made the same assumption the guy from Cisco did ;) The box was installed with the *user* accounts admin and guest with weak passwords, and root had a strong password. The box was otherwise 'secure' and patched with only sshd available. The question then becomes, how did the attacker gain root access after obtaining a user account on a box that is otherwise current and patched. As a previous user noted, the experiment needs to be repeated with better logging to determine the route of compromise. -- Tremaine IT Security Consultant _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Automated ssh scanning Richard Verwayen (Aug 25)
- Re: Automated ssh scanning Gerry Eisenhaur (Aug 25)
- Re: Automated ssh scanning Tig (Aug 26)
- Re: Automated ssh scanning Ron DuFresne (Aug 26)
- Re: Automated ssh scanning Tig (Aug 26)
- Re: Automated ssh scanning Tremaine (Aug 26)
- Re: Automated ssh scanning Gerry Eisenhaur (Aug 26)
- Re: Automated ssh scanning Tig (Aug 26)
- Re: Automated ssh scanning Gerry Eisenhaur (Aug 25)
- Re: Automated ssh scanning VeNoMouS (Aug 25)
- Re: Automated ssh scanning VeNoMouS (Aug 25)
- Re: Automated ssh scanning Henrik Persson (Aug 25)
- Re: Automated ssh scanning Richard Verwayen (Aug 26)
- Re: Automated ssh scanning Henrik Persson (Aug 26)
- Re: Automated ssh scanning Richard Verwayen (Aug 26)
- Re: Automated ssh scanning VeNoMouS (Aug 25)
- Re: Automated ssh scanning David Vincent (Aug 25)
- Re: Automated ssh scanning Richard Verwayen (Aug 26)
- Re: Automated ssh scanning andreas (Aug 26)
- Re: Automated ssh scanning Richard Verwayen (Aug 26)