RE: [Full-Disclosure] Automated SSH login attempts? Related Cross post from incidents.org

From: Harris, Michael C. (HarrisMC_at_health.missouri.edu)
Date: 07/30/04

  • Next message: Aaron Gray: "[Full-Disclosure] Stateful Packet Inspection" 
    To: <full-disclosure@lists.netsys.com>
Date: Fri, 30 Jul 2004 10:31:08 -0500

     

    -----Original Message-----
    From: intrusions-bounces@lists.sans.org
    [mailto:intrusions-bounces@lists.sans.org] On Behalf Of Andrew Daviel
    Sent: Thursday, July 29, 2004 4:01 PM
    To: intrusions@incidents.org
    Subject: [Intrusions] Linux SSH scanning - test/guest

    FYI

    We got zapped by some hackers from, I think, Romania that have a priv
    escalation exploit for Linux 2.4.20
    http://sirzion.illusivecreations.com/loginxy

    There is also a multithreaded SSH bruteforcer called "haita"
    This attempts to login to machines using the accounts "test" and
    "guest", with passwords "test" & "guest" respectively.
    It runs from a file of addresses found by a synscan program. It
    identifies itself as SSH-2.0-libssh-0.1

    So, SSH login failures for test & guest are an indication of this thing
    running at the remote end.

    The two names & passwords appear to be hardcoded into the program.
    Since Linux as I recall backs off after failed attempts there wouldn't
    be much to gain by trying many more names, but variants may appear with
    other defaults. 

    --
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security@triumf.ca
_______________________________________________
Intrusions mailing list
Intrusions@lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Todd Towles
Sent: Friday, July 30, 2004 7:53 AM
To: 'Jan Muenther'
Cc: full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Automated SSH login attempts?
Jan is right - looking at the code might be the only way to know what is
really happening.
We all await your disassembled, debugged and traced code analysis, Jan.
=)
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Jan
Muenther
Sent: Friday, July 30, 2004 6:52 AM
To: Andrew Farmer
Cc: Ali Campbell; full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Automated SSH login attempts?
Now, if anybody could jump through the hoop and send me the thing or
make it publicly available... all these things are musings, 'it looks as
if...' and 'it seems like...' are not exactly results of an analysis. 
Just tracing tcpdump's output is definitely insufficient. 
If the tool just sends normal TCP packets, then why does it need root
rights, which you typically only require for raw sockets to build
packets which can't be constructed with SOCK_STREAM or SOCK_DGRAM?
I hope you don't run it on your production boxes in the normal userland
- ever considered the fact it might contain an ELF infector or
something?
Now, if I wanted to deploy malware on a Linux box, I'd just come up with
a mysterious looking tool and let that infect the machines of people who
just run anything they can get a hold of. It's Linux, after all, right?
No viruses, right?
> >Do I take it that these things are just trying to log in using some 
> >guessed password(s) ? Out of interest, do we have any idea what these
> >opportunistic passwords might be ?
> 
> At least two of them are guest:guest and test:test. I'd guess that 
> root:root and admin@admin are on the list too :-)
This things needs to be disassembled, debugged and traced. All else is
just whistling in the dark. Meh. 
Cheers, J.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Aaron Gray: "[Full-Disclosure] Stateful Packet Inspection"

    Relevant Pages

    • Re: SSH server with SBC DSL and DynDNS
      ... > I'm thinking about getting SBC DSL service, ... > be able to log into one of my Linux boxes using SSH. ... I have used a broadband router with dynamic SBC DSL, ...
      (comp.os.linux.networking)
    • Re: [SLE] [General] Rules for firewall?
      ... > One Linux server with NFS ... except the windows boxes unless you run cgywin ... > The firewall is to be locked down for user login only via ssh. ... > Any pointers on where to start learning? ...
      (SuSE)
    • Re: What kind of user authentication / password encryption am I using?
      ... On February 7, 2004 08:19 am, Ken Rossman wrote: ... > I have managed to inherit a rather broken Linux/Solaris environment, ... I am hoping to make the NIS environment on the Linux side be ... needed to install the commercial ssh client on my workstation (I then used 2 ...
      (RedHat)
    • Re: some attack to fedora machine .
      ... Please check below link for antivirus program download for linux. ... F8 installation last December. ... Each and every time the invader came in through ssh. ...
      (Fedora)
    • Re: Forking and SSH connections
      ... When I remove it (i.e. the scheduler becomes a forking ... Since forked sibling processes don't share this state ... Setting up an SSH login every ...
      (comp.lang.perl.misc)