RE: [Full-Disclosure] Automated SSH login attempts?

From: Todd Towles (toddtowles_at_brookshires.com)
Date: 07/30/04

  • Next message: Jan Muenther: "Re: [Full-Disclosure] Automated SSH login attempts?"
    To: "'Jan Muenther'" <jan.muenther@nruns.com>
    Date: Fri, 30 Jul 2004 07:53:18 -0500
    
    

    Jan is right - looking at the code might be the only way to know what is
    really happening.

    We all await your disassembled, debugged and traced code analysis, Jan. =)

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Jan Muenther
    Sent: Friday, July 30, 2004 6:52 AM
    To: Andrew Farmer
    Cc: Ali Campbell; full-disclosure@lists.netsys.com
    Subject: Re: [Full-Disclosure] Automated SSH login attempts?

    Now, if anybody could jump through the hoop and send me the thing or make it
    publicly available... all these things are musings, 'it looks as if...' and
    'it
    seems like...' are not exactly results of an analysis.

    Just tracing tcpdump's output is definitely insufficient.
    If the tool just sends normal TCP packets, then why does it need root
    rights,
    which you typically only require for raw sockets to build packets which
    can't
    be constructed with SOCK_STREAM or SOCK_DGRAM?

    I hope you don't run it on your production boxes in the normal userland -
    ever
    considered the fact it might contain an ELF infector or something?
    Now, if I wanted to deploy malware on a Linux box, I'd just come up with a
    mysterious looking tool and let that infect the machines of people who just
    run anything they can get a hold of. It's Linux, after all, right? No
    viruses,
    right?

    > >Do I take it that these things are just trying to log in using some
    > >guessed password(s) ? Out of interest, do we have any idea what these
    > >opportunistic passwords might be ?
    >
    > At least two of them are guest:guest and test:test. I'd guess that
    > root:root and admin@admin are on the list too :-)

    This things needs to be disassembled, debugged and traced. All else is just
    whistling in the dark. Meh.

    Cheers, J.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Jan Muenther: "Re: [Full-Disclosure] Automated SSH login attempts?"

    Relevant Pages

    • Re: [Full-Disclosure] Automated SSH login attempts?
      ... Just tracing tcpdump's output is definitely insufficient. ... If the tool just sends normal TCP packets, then why does it need root rights, ... considered the fact it might contain an ELF infector or something? ... It's Linux, after all, right? ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Automated SSH login attempts?
      ... > If the tool just sends normal TCP packets, then why does it need root rights, ... The tool itself dos not need root rights. ... > considered the fact it might contain an ELF infector or something? ... It's Linux, after all, right? ...
      (Full-Disclosure)
    • Re: Slow browsing with cable modem
      ... > Here is an early sample of answers I have received from the Charter forum. ... > My Linux boxes work fine. ... so could you provide output from Windows ... > going to the root servers for DNS requests, timing out, then trying the ...
      (comp.os.linux.networking)
    • Re: Linux is free...Nobody is using Linux...Why?
      ... This is not a Linux newsgroup. ... Also if you were truly a moderator, ... > pay more attention to the charter, in cases of spam/trolling, rather ... Please enjoy the remaining time you have on usenet. ...
      (alt.os.linux)
    • Re: Slow browsing with cable modem
      ... Here is an early sample of answers I have received from the Charter forum. ... My Linux boxes work fine. ... One thing you might want to also check is the DNS server addresses your ... the case as I have noticed a couple root server addresses have changed at ...
      (comp.os.linux.networking)