mailing list archives
about the automated ssh login attempts
From: Jerome <jethro () docisland org>
Date: Thu, 29 Jul 2004 08:05:45 +0200
setting up a honeypot, I was able to identify some of the activity
associated with these login attempts.
after the honeypot's been probed for guest and test login, I had someone
login as test and fetch some tools from websites to use them on the
tools were fetched from some .ro website as per .bash_history and
the toolkit I had the opportunity to have downloaded by the kid on the
honeypot was made of a bunch of components:
- ss : a copy of the "very fast" syn scanner by haitateam published
latetly, at least on packetstorm
- haita: apparently the tool used to bruteforce accounts
strings -a haita | grep SSH
SSH login bruteforcer by HaitaTeam
*tho* guest and test accounts seem hardcoded, so unless they fix
that, it's not gonna be a big threat for all of the other joes
and the final part:
- scan.sh: which is the kiddie's best friend for using these 2 tools
if [ $# != 1 ]
echo "Se da asa:"
echo "$0 <clasa b>"
echo "$0 212.93"
echo "Daca nu prindeti ... verificati in fisieru \
asta sa fie pusa placa de retea care trebe adika \
eth0, eth1, ppp0 etc "
rm -f bios.txt vuln.txt uniq.txt
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > uniq.txt
I also had some other toolkits on the honeypot after the breakin, most
of them being local root exploits packed in a single archive, and some
massrooter for years old remote vulnerabilities, but we all know them.
I can provide with the bins if anyone's interested, but didn't bother
yet to place them on some website, feel free to email.
[pgp keyid : 33D7802F http://pgp.mit.edu]
[key fingerprint : 82E6 C9C8 05D1 BEAC 9353 8ECB CEAF 6A0A 33D7 802F]
Full-Disclosure - We believe in it.
- about the automated ssh login attempts Jerome (Jul 29)