RE: [Full-Disclosure] Automated ssh scanning

From: Todd Towles (toddtowles_at_brookshires.com)
Date: 08/26/04

  • Next message: VeNoMouS: "Re: [Full-Disclosure] Automated ssh scanning" 
    To: "KF_lists" <kf_lists@secnetops.com>
Date: Thu, 26 Aug 2004 14:46:07 -0500

     There are too many factors that could play a role in this. We need to
    reduce the factors more before we point fingers at any certain part. KF
    has given us a good start.

    -----Original Message-----
    From: full-disclosure-admin@lists.netsys.com
    [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of KF_lists
    Sent: Thursday, August 26, 2004 1:55 PM
    To: Mailing List - Full-Disclosure
    Subject: Re: [Full-Disclosure] Automated ssh scanning

    Will *ANYONE* that actually got hacked do me a favor and type:
    "uname -a"
    Then include that in your next email. I keep hearing "fully patched"
    server however I have a feeling the Kernel was left out of the patching.

    -KF

    Todd Towles wrote:
    > Hey Ron,
    >
    > Guest isn't a admin so they let the tool get in. But the real
    > questions is, how does it get root access on a fully patched server?
    > It appears to use a local exploit to gain root access. This is a
    problem.
    >
    > Sorry about the eariler e-mail, I haven't had my coffee today. Trying
    > to cut back and spend that money on IT security =P
    >
    > -----Original Message-----
    > From: full-disclosure-admin@lists.netsys.com
    > [mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of Ron
    > DuFresne
    > Sent: Thursday, August 26, 2004 9:08 AM
    > To: Tig
    > Cc: full-disclosure@lists.netsys.com
    > Subject: Re: [Full-Disclosure] Automated ssh scanning
    >
    >
    >
    > the real thing this user most likely suffered from was the weak
    > account passwd double, guest:guest. Now, if the admin and other
    > account were setup with strong passwd's and this account was either
    > setup with a strong passwd or not setup at all might be a better test
    > of the stability of ssh and the debain setup in question.
    >
    > Thanks,
    >
    > Ron DuFresne
    >
    > On Thu, 26 Aug 2004, Tig wrote:
    >
    >
    >>On Wed, 25 Aug 2004 19:43:47 -0400
    >>Gerry Eisenhaur <GEisenhaur@Cisco.com> wrote:
    >>
    >>
    >>>I am confused, you said you knew about some SSH scanning going on,
    >>>then set up those accounts on a box. Now you are curious way that box

    >>>got rooted?
    >>>
    >>>Maybe I am missing something, but it seems you already have a pretty
    >
    >
    >>>good assumption of why it got rooted.
    >>>
    >>>The software, as you seem to know, is a few exploits, a backdoor and
    >
    >
    >>>some IRC stuff(bot and proxy).
    >>>
    >>>/gerry
    >>>
    >>
    >>I think you did miss the point (which was a very good one). Basically,
    >
    >
    >>once you have unprivileged access to a currently patched Woody box,
    >>you can quickly gain root access.
    >>
    >>I would love to see this tested against other version of Linux and
    >>*BSD with default (and updated) installations. Anyone have a spare box
    >
    >
    >>and a few hours?
    >>
    >>-Tig
    >>
    >>_______________________________________________
    >>Full-Disclosure - We believe in it.
    >>Charter: http://lists.netsys.com/full-disclosure-charter.html
    >>
    >
    >
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    > "Cutting the space budget really restores my faith in humanity. It
    > eliminates dreams, goals, and ideals and lets us get straight to the
    > business of hate, debauchery, and self-annihilation." -- Johnny Hart
    > ***testing, only testing, and damn good at it too!***
    >
    > OK, so you're a Ph.D. Just don't touch anything.
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: VeNoMouS: "Re: [Full-Disclosure] Automated ssh scanning"

    Relevant Pages

    • Re: [Full-Disclosure] Automated ssh scanning
      ... server however I have a feeling the Kernel was left out of the patching. ... > use a local exploit to gain root access. ... if the admin and other account were ... > setup with strong passwd's and this account was either setup with a ...
      (Full-Disclosure)
    • Re: Setup of Information Store Service fails
      ... Exchange 2000 Setup Fails and Security Vulnerability ... When you set up Microsoft Exchange 2000 Server or Exchange 2000 Enterprise ... The account name is EUSER_EXSTOREEVENT, ... When You Install Exchange 2000 on a Member Server ...
      (microsoft.public.exchange2000.information.store)
    • Re: Adminstrator Password
      ... is a hidden administrator account called "Administrator." ... Most people do not set a password for this account and if you didn't install ... actual XP CD as opposed to a recovery CD, boot with the XP ... Once you have pressed a key, setup should begin. ...
      (microsoft.public.windowsxp.accessibility)
    • Re: ?? Net Security, User has to be prompted before connecting ??
      ... To make this work, you have to setup matching accounts on A, and B or C. ... archives on computer A from computer B. ... If you setup Kane's account on computer C with administrative privileges, ...
      (microsoft.public.windowsxp.network_web)
    • Re: Execute MDX from T-sql -Procs and Cons?
      ... from there without having to setup anything special in the web.config. ... use that account. ... On the MSAS server I would set up the same username/password, ... > Application security ...looks like the only right choice... ...
      (microsoft.public.sqlserver.olap)