1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
|
5 |
Good point. |
6 |
|
7 |
|
8 |
|
9 |
Dan Margolis wrote: |
10 |
|
11 |
| Rui Pedro Figueira Covelo wrote: |
12 |
| |
13 |
| | I noticed that the .bash_history it's from the root account. Not guest |
14 |
| | or test. If this .bash_history is real, the fact that someone got root |
15 |
| | proves that someone used an exploit rather than guessing a weak password |
16 |
| | of a guest or test account, right? |
17 |
| |
18 |
| I don't think it's proof. He hasn't told us the full story. It could be |
19 |
| that the attacker used a local root exploit once gaining user level |
20 |
| access. Certainly, root access is required to run sshf. |
21 |
| |
22 |
| It's also possible, of course, that this is just a big hoax by the guy |
23 |
| who's e-mail I forwarded to get people to download and run a trojan as |
24 |
| root (which is why I ran it on a Knoppix CD). |
25 |
| |
26 |
| In either case, another poster on FD claims ss is a version of a fast |
27 |
| portscanner, which appears reasonable. sshf then sshs to the machines |
28 |
| listed in uniq.txt and apparently tries to log in. Oddly enough, though, |
29 |
| after running it on my machine, I saw it initiate the connection, but I |
30 |
| didn't see it in my logs as having tried to log in as test or guest or |
31 |
| anything, which scares me a little. But it didn't do anything, either. |
32 |
| |
33 |
| The binary is linked against OpenSSL, so that's somewhat convincing that |
34 |
| it is what it seems, and it contains the strings ``guest'' and ``test'', |
35 |
| which seem to be hardcoded login attempts. |
36 |
| |
37 |
| I still think the liklihood of a 0day against OpenSSH is pretty slim, |
38 |
| unless it only works on a very small number of machines/architectures. |
39 |
| |
40 |
| -- |
41 |
| Dan Margolis |
42 |
-----BEGIN PGP SIGNATURE----- |
43 |
Version: GnuPG v1.2.3 (MingW32) |
44 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
45 |
|
46 |
iD8DBQFBCWykfLPhlaxNQk0RAl8uAJ9fwlLCK/Zcc3wLl2SByHbvygQoCACfUsnj |
47 |
ujuMIjwkuky/SbCvTAs9MFE= |
48 |
=V95G |
49 |
-----END PGP SIGNATURE----- |
50 |
|
51 |
-- |
52 |
gentoo-security@g.o mailing list |