Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Automated SSH login attempts?
From: dmargoli () stwing org
Date: Thu, 29 Jul 2004 18:18:01 -0400

Max Valdez wrote:

doesnt make any sense

That way you should have root on the first box to start exploiting others, kind of weird.

smells like rootkit downloader to me.

Anybody willing to make a strace of this program ??


A previous poster mentioned that after exploiting a test/test or guest/guest account, an attacker downloaded SuckIt to his machine, got root using some unspecified local vuln (he said it was a very unpatched mcahine), and started from there.

The program IS linked against OpenSSL and appears to inintiate an ssh connection with the target(s) in a separate text file (uniq.txt). I can't follow the connection because of the encryption, but it seems to be trying a user and then disconnecting (as in, I see nothing really obviously out of the ordinary when I run it). Haven't got farther in disassembling it yet.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]