Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

about the automated ssh login attempts
From: Jerome <jethro () docisland org>
Date: Thu, 29 Jul 2004 08:05:45 +0200


Hi list,

setting up a honeypot, I was able to identify some of the activity
associated with these login attempts. 
after the honeypot's been probed for guest and test login, I had someone
login as test and fetch some tools from websites to use them on the
honeypot.

tools were fetched from some .ro website as per .bash_history and
captured keystrokes.

the toolkit I had the opportunity to have downloaded by the kid on the
honeypot was made of a bunch of components:

- ss : a copy of the "very fast" syn scanner by haitateam published
  latetly, at least on packetstorm

- haita: apparently the tool used to bruteforce accounts

        strings -a haita | grep SSH
        SSH login bruteforcer by HaitaTeam
        
        *tho* guest and test accounts seem hardcoded, so unless they fix
        that, it's not gonna be a big threat for all of the other joes
        accounts around.

and the final part:

- scan.sh: which is the kiddie's best friend for using these 2 tools
  altogether:

#!/bin/sh
if [ $# != 1 ]
then
        echo "Se da asa:"
        echo "$0 <clasa b>"
        echo "Exemplu:"
        echo "$0 212.93"
        echo "Daca nu prindeti ... verificati in fisieru \
asta sa fie pusa placa de retea care trebe adika \
eth0, eth1, ppp0 etc "

        exit
fi
rm -f bios.txt vuln.txt uniq.txt
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > uniq.txt
./haita
                        
I also had some other toolkits on the honeypot after the breakin, most
of them being local root exploits packed in a single archive, and some
massrooter for years old remote vulnerabilities, but we all know them.

I can provide with the bins if anyone's interested, but didn't bother
yet to place them on some website, feel free to email.

cheers,

-- 
Jerome
[pgp keyid : 33D7802F http://pgp.mit.edu]
[key fingerprint : 82E6 C9C8 05D1 BEAC 9353  8ECB CEAF 6A0A 33D7 802F]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • about the automated ssh login attempts Jerome (Jul 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]