Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-Disclosure] Automated SSH login attempts?
From: Stefan Janecek (stefan.janecekjku.at)
Date: Fri Jul 30 2004 - 14:20:14 CDT
On Fri, 2004-07-30 at 13:51, Jan Muenther wrote:
> Now, if anybody could jump through the hoop and send me the thing or make it
> publicly available... all these things are musings, 'it looks as if...' and 'it
> seems like...' are not exactly results of an analysis.
Agreed. The thing *is* publicly available, just do 'wget
frauder.us/linux/ssh.tgz'. What kept me from disassembling the thing so
far is not availability, but lacking knowledge about the ssh protocol on
my side ;-)
> Just tracing tcpdump's output is definitely insufficient.
> If the tool just sends normal TCP packets, then why does it need root rights,
> which you typically only require for raw sockets to build packets which can't
> be constructed with SOCK_STREAM or SOCK_DGRAM?
The tool itself dos not need root rights. What needs to be root is the
portscanner accompanying it.
> I hope you don't run it on your production boxes in the normal userland - ever
> considered the fact it might contain an ELF infector or something?
> Now, if I wanted to deploy malware on a Linux box, I'd just come up with a
> mysterious looking tool and let that infect the machines of people who just
> run anything they can get a hold of. It's Linux, after all, right? No viruses,
hehe. According to a brief look at the strace of this thingy, it does
not do anything suspicious on the local box. But maybe I should have a
second look - who knows?
> > >Do I take it that these things are just trying to log in using some
> > >guessed password(s) ? Out of interest, do we have any idea what these
> > >opportunistic passwords might be ?
> > At least two of them are guest:guest and test:test. I'd guess that
> > root:root and adminadmin are on the list too :-)
> This things needs to be disassembled, debugged and traced. All else is just
> whistling in the dark. Meh.
Right. And somebody volunteered for this job right now, did you? ;-)
> Cheers, J.
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure - We believe in it.