[Full-Disclosure] Re: Automated SSH login attempts?
joe at joesmith.homeip.net
Thu Jul 29 21:37:17 BST 2004
you can decompile using REC.
Andrei Galca-Vasiliu wrote:
>By the way, you have to be root to use "ss":
>sweet at andrei:~/ssh$ ./go.sh 82.77.45
>scanning network 82.77.*.*
>usec: 30000, burst packets 50
>using inteface eth0
>ERROR: UID != 0
>Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek
>>Hmmm - I have also been getting those login attemps, but thought them to
>>be harmless. Maybe they are not *that* harmless, though... Today I
>>managed to get my hands on a machine that was originating such login
>>attempts. I must admit I am far from being a linux security expert, but
>>this is what I've found out up to now:
>>Whoever broke into the machine did not take any attempts to cover up his
>>tracks - this is what I found in /root/.bash_history:
>>tar xzvf ssh.tgz
>>tar xvf ssh.tgz
>>rm -rf uniq.txt
>>rm -rf uniq.txt vuln.txt
>>um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two
>>./ss 22 -b $1 -i eth0 -s 6
>>cat bios.txt |sort | uniq > uniq.txt
>>* 'ss' apparently is some sort of portscanner
>>* 'sshf' connects to every IP in uniq.txt and tries to log in as user
>>'test' first, then as user 'guest' (according to tcpdump).
>>This does not seem to be a stupid brute force attack, as there is only
>>one login attempt per user. Could it be that the tool tries to exploit
>>some vulnerability in the sshd, and just tries to look harmless by using
>>'test' and 'guest' as usernames?
>>The compromised machine was running an old debian woody installation
>>which had not been upgraded for at least one year, the sshd version
>>string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'
>>As already mentioned, I am far from being an expert, but if I can assist
>>in further testing, then let me know. Please CC me, I am not subscribed
>>to the list.
>>Full-Disclosure - We believe in it.
Full-Disclosure is hosted and sponsored by Secunia.