brute force ssh attack

Wed Apr 27 12:12:40 UTC 2005

On Wed, 27 Apr 2005, Daniel Kirsten wrote:

> Hallo,
>
> there are numerous brute force ssh attacks in the web.
> I was quite curious, and for fun, I created the typical
> user accounts and set easy to guess passwords....
>
> Yesterday, such a ssh login was successful for users
> kevin and daikanyama.     The hackers changed the passwords
> for both logins.   They installed a certain program
> "undernet" as daikanyama and started a program called mech.
>
> After some minutes, I removed the network cable, killed
> all the processes of the users and disabled these users.
>
> Then, I figured out that some programs as grep did not work.
> I rebooted the machine, but during the reboot I got
> various "segmentation faults", "illegal instructions", ....
>
> I booted from an FC3 rescue CD, and I found out that
> various executables in /bin and /user/bin where
> manipulated (grep, egrep, gzip, rpm, mount, ...).
> I replaced these manipulated executlables by original
> files, but I forgot to replace gtbl.
>
> Then, the machine booted correctly.  Later when gtbl
> was called, some executables in /bin  and /user/bin
> where manipulated.  It seems to be some virus, when
> you start a manipulated executable it manipulates
> other executables.
>
> I managed to replace all manipulated files and the
> machine seems to work correctly.
>
> My question is:  They did not guess the root password,
> how did they manipulate files which are only writable
> by root???

close examination of rootkit they installed should be able to determine 
the attack vector used to gain root privledges

> Is anyone interested in log-files or in the programs
> which the hackers installed under daikanyama?
>
> Best regards,  Daniel
>
>

-- 
-------------------------------------------------------------------------- 
Joel Jaeggli  	       Unix Consulting 	       joelja at darkwing.uoregon.edu 
GPG Key Fingerprint:     5C6E 0104 BAF0 40B0 5BD3 C38B F000 35AB B67F 56B2