mailing list archives
Re: Automated SSH login attempts?
From: Stefan Janecek <stefan.janecek () jku at>
Date: Thu, 29 Jul 2004 18:38:15 +0200
Hmmm - I have also been getting those login attemps, but thought them to
be harmless. Maybe they are not *that* harmless, though... Today I
managed to get my hands on a machine that was originating such login
attempts. I must admit I am far from being a linux security expert, but
this is what I've found out up to now:
Whoever broke into the machine did not take any attempts to cover up his
tracks - this is what I found in /root/.bash_history:
tar xzvf ssh.tgz
tar xvf ssh.tgz
rm -rf uniq.txt
rm -rf uniq.txt vuln.txt
um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > uniq.txt
* 'ss' apparently is some sort of portscanner
* 'sshf' connects to every IP in uniq.txt and tries to log in as user
'test' first, then as user 'guest' (according to tcpdump).
This does not seem to be a stupid brute force attack, as there is only
one login attempt per user. Could it be that the tool tries to exploit
some vulnerability in the sshd, and just tries to look harmless by using
'test' and 'guest' as usernames?
The compromised machine was running an old debian woody installation
which had not been upgraded for at least one year, the sshd version
string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'
As already mentioned, I am far from being an expert, but if I can assist
in further testing, then let me know. Please CC me, I am not subscribed
to the list.
Full-Disclosure - We believe in it.
Re: Automated SSH login attempts? Stefan Janecek (Jul 29)
Re: Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 29)
Re: Re: Automated SSH login attempts? Dagur Valberg Johannsson (Jul 29)