| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
|
| 5 |
Good point. |
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
Dan Margolis wrote: |
| 10 |
|
| 11 |
| Rui Pedro Figueira Covelo wrote: |
| 12 |
| |
| 13 |
| | I noticed that the .bash_history it's from the root account. Not guest |
| 14 |
| | or test. If this .bash_history is real, the fact that someone got root |
| 15 |
| | proves that someone used an exploit rather than guessing a weak password |
| 16 |
| | of a guest or test account, right? |
| 17 |
| |
| 18 |
| I don't think it's proof. He hasn't told us the full story. It could be |
| 19 |
| that the attacker used a local root exploit once gaining user level |
| 20 |
| access. Certainly, root access is required to run sshf. |
| 21 |
| |
| 22 |
| It's also possible, of course, that this is just a big hoax by the guy |
| 23 |
| who's e-mail I forwarded to get people to download and run a trojan as |
| 24 |
| root (which is why I ran it on a Knoppix CD). |
| 25 |
| |
| 26 |
| In either case, another poster on FD claims ss is a version of a fast |
| 27 |
| portscanner, which appears reasonable. sshf then sshs to the machines |
| 28 |
| listed in uniq.txt and apparently tries to log in. Oddly enough, though, |
| 29 |
| after running it on my machine, I saw it initiate the connection, but I |
| 30 |
| didn't see it in my logs as having tried to log in as test or guest or |
| 31 |
| anything, which scares me a little. But it didn't do anything, either. |
| 32 |
| |
| 33 |
| The binary is linked against OpenSSL, so that's somewhat convincing that |
| 34 |
| it is what it seems, and it contains the strings ``guest'' and ``test'', |
| 35 |
| which seem to be hardcoded login attempts. |
| 36 |
| |
| 37 |
| I still think the liklihood of a 0day against OpenSSH is pretty slim, |
| 38 |
| unless it only works on a very small number of machines/architectures. |
| 39 |
| |
| 40 |
| -- |
| 41 |
| Dan Margolis |
| 42 |
-----BEGIN PGP SIGNATURE----- |
| 43 |
Version: GnuPG v1.2.3 (MingW32) |
| 44 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
| 45 |
|
| 46 |
iD8DBQFBCWykfLPhlaxNQk0RAl8uAJ9fwlLCK/Zcc3wLl2SByHbvygQoCACfUsnj |
| 47 |
ujuMIjwkuky/SbCvTAs9MFE= |
| 48 |
=V95G |
| 49 |
-----END PGP SIGNATURE----- |
| 50 |
|
| 51 |
-- |
| 52 |
gentoo-security@g.o mailing list |
Archives