Re: ssh worms FAQ

From: Dale Richards (dalerichards800_at_msn.com)
Date: 09/16/04


Date: Thu, 16 Sep 2004 21:52:15 GMT

Innocenti Maresin wrote:
> Hello!
>
> There is many ssh worms in the Internet since this summer.
> These worms often try to access
> "test", "guest", "admin", "user" and "root" accounts.
> See details in
> http://seclists.org/lists/fulldisclosure/2004/Jul/1243.html

Interesting. I've seen these access attempts in my logs but never thought
too much of it.

Out of curiosity, I downloaded the file mentioned in that article
(http://frauder.us/linux/ssh.tgz). As soon as I did, my antivirus software
started complaining about "Linux.RST.B", "Hacktool.Slice" and
"Hacktool.Rootkit".

Does anyone know whether this worm is just trying default passwords or if it
is using an SSH server vulnerability? It can't be brute forcing because I
only see one or two access attempts per attack in my logs...



Relevant Pages

  • Re: ssh worms FAQ
    ... > There is many ssh worms in the Internet since this summer. ... I've seen these access attempts in my logs but never thought ...
    (comp.security.ssh)
  • Re: ssh worms FAQ
    ... > There is many ssh worms in the Internet since this summer. ... I've seen these access attempts in my logs but never thought ...
    (comp.os.linux.security)
  • Re: Can a Computer full of spyware ever be cleaned 100%
    ... Windows XP: Surviving the First Day ... SANS Institute Internet Storm Center ... risking exposure and infection. ... with the dilemma of being infected by these worms before being able ...
    (comp.security.misc)
  • Re: How can I disable network (type 3) Logon
    ... As you say - A can of worms - ... A correctly configured firewall should protect you from internet ...
    (microsoft.public.win2000.security)
  • Re: Limiting Disck Cache
    ... After seeing all the viruses, trojan horses, worms and Reply ... mails from stupidly-configured anti-virus software that's been ... hurled upon the internet for the last 3 years, ...
    (Debian-User)