Re: SSH probe attack afoot?

[Steven Harrison <smharr4 () qwest net>]

Martin Sarsale wrote:
> Everytime I got one of those scans Im courious about what are those 
> clients (bots or hax0rs) using as passwords.

The lists of usernames and passwords are hard-coded in the application 
used for the brute-force attack. Seems a little inefficient, but it's 
easier to distribute and hide one file on a cracked system, than it is 
to hide the application file, a file of users and a file of passwords.

I have a link to the source code used on one of my webpages:

        http://smharr4.dnsalias.net/index.php/Ssh

> Does it makes any sense to log the password they're using apart of 
> satisfying my couriosity?

The passwords they try are known (they're in the code), but if you're 
curious then why not?

> And: does ssh provides this kind of functionality? (I know it could be a 
> security breach in case you type your root password in uppercase and it 
> ends on your logs)

Not by default, you'd need to slightly modify the code for your openssh 
server. In my case, I amended the code to auth-passwd.c to log the 
password. From my source copy of openssh 3.9p1, lines 58 through 70:

/*
 * Tries to authenticate the user using password.  Returns true if
 * authentication succeeds.
 */
int
auth_password(Authctxt *authctxt, const char *password)
{
        logit("Password used: %s", password);
        struct passwd * pw = authctxt->pw;
        int ok = authctxt->valid;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
        static int expire_checked = 0;
#endif


This will log every password, even yours - be careful where you log to 
and who gets to see them.


--
Steven Harrison
Unix Systems Administrator

9 STOP statement, 0:1