Full Disclosure mailing list archives
RE: Automated SSH login attempts? Related Cross post from incidents.org
From: "Harris, Michael C." <HarrisMC () health missouri edu>
Date: Fri, 30 Jul 2004 10:31:08 -0500
-----Original Message----- From: intrusions-bounces () lists sans org [mailto:intrusions-bounces () lists sans org] On Behalf Of Andrew Daviel Sent: Thursday, July 29, 2004 4:01 PM To: intrusions () incidents org Subject: [Intrusions] Linux SSH scanning - test/guest FYI We got zapped by some hackers from, I think, Romania that have a priv escalation exploit for Linux 2.4.20 http://sirzion.illusivecreations.com/loginxy There is also a multithreaded SSH bruteforcer called "haita" This attempts to login to machines using the accounts "test" and "guest", with passwords "test" & "guest" respectively. It runs from a file of addresses found by a synscan program. It identifies itself as SSH-2.0-libssh-0.1 So, SSH login failures for test & guest are an indication of this thing running at the remote end. The two names & passwords appear to be hardcoded into the program. Since Linux as I recall backs off after failed attempts there wouldn't be much to gain by trying many more names, but variants may appear with other defaults. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security () triumf ca _______________________________________________ Intrusions mailing list Intrusions () lists sans org http://www.dshield.org/mailman/listinfo/intrusions -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Todd Towles Sent: Friday, July 30, 2004 7:53 AM To: 'Jan Muenther' Cc: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Automated SSH login attempts? Jan is right - looking at the code might be the only way to know what is really happening. We all await your disassembled, debugged and traced code analysis, Jan. =) -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Jan Muenther Sent: Friday, July 30, 2004 6:52 AM To: Andrew Farmer Cc: Ali Campbell; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Automated SSH login attempts? Now, if anybody could jump through the hoop and send me the thing or make it publicly available... all these things are musings, 'it looks as if...' and 'it seems like...' are not exactly results of an analysis. Just tracing tcpdump's output is definitely insufficient. If the tool just sends normal TCP packets, then why does it need root rights, which you typically only require for raw sockets to build packets which can't be constructed with SOCK_STREAM or SOCK_DGRAM? I hope you don't run it on your production boxes in the normal userland - ever considered the fact it might contain an ELF infector or something? Now, if I wanted to deploy malware on a Linux box, I'd just come up with a mysterious looking tool and let that infect the machines of people who just run anything they can get a hold of. It's Linux, after all, right? No viruses, right?
Do I take it that these things are just trying to log in using some guessed password(s) ? Out of interest, do we have any idea what these
opportunistic passwords might be ?At least two of them are guest:guest and test:test. I'd guess that root:root and admin@admin are on the list too :-)
This things needs to be disassembled, debugged and traced. All else is just whistling in the dark. Meh. Cheers, J. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Automated SSH login attempts? Related Cross post from incidents.org Harris, Michael C. (Jul 30)