This is from the ISC's mailling and is relevant here:
Subject: [Intrusions] Linux SSH scanning - test/guest
Importance: Low
FYI
We got zapped by some hackers from, I think, Romania that have a
priv escalation exploit for Linux 2.4.20
http://sirzion.illusivecreations.com/loginxy
There is also a multithreaded SSH bruteforcer called "haita"
This attempts to login to machines using the accounts "test" and "guest",
with passwords "test" & "guest" respectively. It runs from a file
of addresses found by a synscan program. It identifies itself as
SSH-2.0-libssh-0.1
So, SSH login failures for test & guest are an indication of this
thing running at the remote end.
The two names & passwords appear to be hardcoded into the program.
Since Linux as I recall backs off after failed attempts there wouldn't be
much to gain by trying many more names, but variants may appear with other
defaults.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security (at) triumf (dot) ca [email concealed]
_______________________________________________
_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE
download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/
Subject: [Intrusions] Linux SSH scanning - test/guest
Importance: Low
FYI
We got zapped by some hackers from, I think, Romania that have a
priv escalation exploit for Linux 2.4.20
http://sirzion.illusivecreations.com/loginxy
There is also a multithreaded SSH bruteforcer called "haita"
This attempts to login to machines using the accounts "test" and "guest",
with passwords "test" & "guest" respectively. It runs from a file
of addresses found by a synscan program. It identifies itself as
SSH-2.0-libssh-0.1
So, SSH login failures for test & guest are an indication of this
thing running at the remote end.
The two names & passwords appear to be hardcoded into the program.
Since Linux as I recall backs off after failed attempts there wouldn't be
much to gain by trying many more names, but variants may appear with other
defaults.
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security (at) triumf (dot) ca [email concealed]
_______________________________________________
_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page ? FREE
download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/
[ reply ]