mailing list archives
Re: Automated SSH login attempts?
From: Juan Carlos Navea <loconet () gmail com>
Date: Thu, 29 Jul 2004 09:37:30 -0400
One of the boxes at work actually got rooted through a successful
attempt at the account test. They later proceeded to get root through
a local exploit. This box was badly unpdated.
Jul 12 22:26:51 server sshd: Accepted password for test from
18.104.22.168 port 1954 ssh2
Jul 12 22:42:35 server sshd: Accepted password for test from
22.214.171.124 port 56454 ssh2
These were followed by more attempts at users test/guest/admin/root
Our ISP shut us down as some other admins reported that this box was
now attempting brute force logins on other boxes within the same
network space. This actually included one of our other boxes which
luckly was not rooted.
Anyways, once we managed to bring our box back up we noticed that
after the successful login, it proceeded to install a rootkit. In this
case we detected SuckIt.
After various attempts, we were able to remove SuckIt:
[root () server .sk12]# ./sk u
Detected version: 1.3b
Suckit uninstalled sucesfully!
As usual for this rootkit, it had installed an exploited sshd , a
password sniffer and infected initd and telinetd.
More info on sk:
Up to this day, we get atleast 10 brute force attempts a day on most
of our boxes.
Full-Disclosure - We believe in it.
Re: Automated SSH login attempts? Stefan Janecek (Jul 29)