Re: ssd attacks; worm? and precautionary steps
From: Barton L. Phillips (bartonphillips_at_sbcglobal.net)
Date: 08/22/05
- Next message: H.S.: "Re: ssd attacks; worm? and precautionary steps"
- Previous message: H.S.: "Re: ssd attacks; worm? and precautionary steps"
- In reply to: H.S.: "Re: ssd attacks; worm? and precautionary steps"
- Next in thread: H.S.: "Re: ssd attacks; worm? and precautionary steps"
- Reply: H.S.: "Re: ssd attacks; worm? and precautionary steps"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 22 Aug 2005 21:29:27 GMT
H.S. wrote:
> Apparently, _ynotssor_, on 22/08/05 16:14,typed:
>
>>"H.S." <g_reate_xcalibur@yahoo.com> wrote in message
>>news:AiqOe.78448$Ph4.2467539@ursa-nb00s0.nbnet.nb.ca...
>>
>>
>>
>>>>And my queries now are:
>>>>1. Does the rogue worm/script/program have a name? Where can I get it
>>
>>from?
>>
>>
>>>er ... no response regarding the identity of the worm or script, or so
>>>it appears. Look like the ssh attacks are pretty common but no one has
>>>actually seen such a script? Either I am missing something quite obvious
>>>or this is very very odd.
>>
>>
>>Anybody with half a talent for scripting or programming can easily author
>>such things. Nobody with half an intelligence would make such details
>>public.
>>
>
>
> Well, I know it was not going to be that easy. But similar to how other
> rogue programs are got hold of and made public, I was thinking perhaps
> it is the case here too.
>
> If I am not grossly wrong, the ssh/sshd attacks all originate from
> compromised Linux or Unix machines. So you are saying that no one,
> absolutely no one, has been able to discover the script in their
> compromised machines and reported it? The script comes with a database
> or list of usernames and passwords. Clearly if the script has been
> authored by someone with "half a talent for scripting", how come admins
> with greater talent haven't found it out (at least it's name or some of
> it's salient features)? And if no one knows about the script, how come
> we are assuming that it tries usernames and passwords and not something
> advanced that targets sshd or Linux kernel weaknesses?
>
I had one of these ssh scrip-worms on one of my machines. The one I had
was a worm. It didn't get very far is it only got into a users account
that had no other privilege. I found the pieces left in /tmp. There were
about 10 files that had been downloaded all scripts (bash, and perl).
The worm tried to see if it had root privileges and when it didn't it
bailed. At the time I looked around and I think I found information
about the exploit at one of the AV sites.
The worm got into my box via a user account "alan" that had a password
of "alan". I changed my policy to assign users a password and not let
them change it. I also restricted the users who could log into my
machine and only allow public/private key authentication now. I had
already restricted the use of ssh to a small group that "alan" was not a
member of so the worm couldn't use ssh to try to find other targets.
Since then I have also moved sshd to another port and that has stopped
the probing all together (so far, though a port scan that identifies
sshd on other ports is surely possible).
The worm package had a file that was its dictionary and a file that had
subnet ranges to explore. It was not a trivia script but it was not
really very sophisticated either. It had obviously been patched together
using several different exploit pieces to make one.
- Next message: H.S.: "Re: ssd attacks; worm? and precautionary steps"
- Previous message: H.S.: "Re: ssd attacks; worm? and precautionary steps"
- In reply to: H.S.: "Re: ssd attacks; worm? and precautionary steps"
- Next in thread: H.S.: "Re: ssd attacks; worm? and precautionary steps"
- Reply: H.S.: "Re: ssd attacks; worm? and precautionary steps"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
