brute force ssh attack
Aleksandar Milivojevic
amilivojevic at pbl.ca
Wed Apr 27 15:56:38 UTC 2005
Daniel Kirsten wrote:
> Hallo,
>
> there are numerous brute force ssh attacks in the web.
> I was quite curious, and for fun, I created the typical
> user accounts and set easy to guess passwords....
Generally, very bad idea. Unless you know exactly what you are doing,
which you obviously don't.
> Yesterday, such a ssh login was successful for users
> kevin and daikanyama. The hackers changed the passwords
> for both logins. They installed a certain program
> "undernet" as daikanyama and started a program called mech.
>
> After some minutes, I removed the network cable, killed
> all the processes of the users and disabled these users.
You don't just unplug network cable. You wipe off machine and reinstall
it from scratch. Simple as that.
> Then, I figured out that some programs as grep did not work.
> I rebooted the machine, but during the reboot I got
> various "segmentation faults", "illegal instructions", ....
Yeah, they were probably script kiddies who had no clue what they were
doing, and they installed corrupted rootkit. If they knew what they
were doing, you'd never notice any files changes. See my previous
comment about reinstalling machine from scratch.
> My question is: They did not guess the root password,
> how did they manipulate files which are only writable
> by root???
They don't need to guess root's password. All they need is a single
setuid root buggy executable. Either you didn't have security updates
installed, or the kids got their hands on yet unreported exploit
(somehow, somewhere).
> Is anyone interested in log-files or in the programs
> which the hackers installed under daikanyama?
I don't see why. In most probability, they installed some robots that
can be controlled from IRC, that would enable them to perform DDoS using
your machine (and dozens or hundreds of other machines).
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the fedora-list
mailing list