On Wed, 2004-07-28 at 15:05, Jyri Hovila wrote:
>
> It seems that at least one host has been rooted somehow relating to the
> scans we're seeing:
>
> http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999~star
t=60

More than just one. I'm willing to bet every source IP that hits you was
compromised the same way.

One interesting tid bit I've noticed is that every source IP I've
checked had SQL listening. Not sure if its related or a coincidence.

> I'm pretty sure there is a new SSH exploit around. At least this clearly
> isn't a brute force attack.

I guess I don't see how you are drawing that conclusion. To quote from
the link you provided above:

[QUOTE]
Jul 12 22:26:51 server sshd[12868]: Accepted password for test from
130.15.15.239 port 1954 ssh2
Jul 12 22:42:35 server sshd[13998]: Accepted password for test from
216.55.164.10 port 56454 ssh2
[/QUOTE]

IMHO this *is not* an exploit, but rather a connection due to a poor
password policy for the user "test" (in other words, this is classic
brute force). You could be running an outdated SSH version, use good
passwords, and be totally safe from this type of attack (not that I'm
advocating running outdated software, just trying to make a point).

> As we are seeing lots of scans, but only few
> rooted hosts, it really doesn't look like a worm either. Someone seems
> to be scanning for vulnerable SSH daemons, obviously using previously
> rooted hosts, and then roots vulnerable hosts of his/her choice
> manually.

Based on the info I've seen, I believe the brute force portion is
automated while the actual toolkit install and "rooting" is being done
manually. It looks too much like a newbie fumbling around.

> As I wrote in my previous message, I think it's a good choise to limit
> access to SSH until this issue is solved.

Always a good idea, but if it was me I would grab a copy of John The
Ripper, the passwd & shadow files, and ensure you are using decent
password on all of your accounts.

HTH,
Chris

[ reply ]