brute force ssh attack

Aleksandar Milivojevic amilivojevic at pbl.ca
Wed Apr 27 15:56:38 UTC 2005 

Daniel Kirsten wrote:
> Hallo, 
> 
> there are numerous brute force ssh attacks in the web.  
> I was quite curious, and for fun, I created the typical 
> user accounts and set easy to guess passwords.... 

Generally, very bad idea.  Unless you know exactly what you are doing, 
which you obviously don't.

> Yesterday, such a ssh login was successful for users
> kevin and daikanyama.     The hackers changed the passwords 
> for both logins.   They installed a certain program  
> "undernet" as daikanyama and started a program called mech. 
> 
> After some minutes, I removed the network cable, killed 
> all the processes of the users and disabled these users.

You don't just unplug network cable.  You wipe off machine and reinstall 
it from scratch.  Simple as that.

> Then, I figured out that some programs as grep did not work. 
> I rebooted the machine, but during the reboot I got 
> various "segmentation faults", "illegal instructions", ....

Yeah, they were probably script kiddies who had no clue what they were 
doing, and they installed corrupted rootkit.  If they knew what they 
were doing, you'd never notice any files changes.  See my previous 
comment about reinstalling machine from scratch.

> My question is:  They did not guess the root password, 
> how did they manipulate files which are only writable 
> by root???

They don't need to guess root's password.  All they need is a single 
setuid root buggy executable.  Either you didn't have security updates 
installed, or the kids got their hands on yet unreported exploit 
(somehow, somewhere).

> Is anyone interested in log-files or in the programs 
> which the hackers installed under daikanyama?

I don't see why.  In most probability, they installed some robots that 
can be controlled from IRC, that would enable them to perform DDoS using 
your machine (and dozens or hundreds of other machines).

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

More information about the fedora-list mailing list