[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: brute force ssh attack

Matthew Miller wrote:
On Wed, Apr 27, 2005 at 03:50:57PM +0100, Nigel Wade wrote:

Number of infections 0-49, number of sites 0-2 - over 3 years.
Wow, it's speading like wildfire... help, help!
It has no escalation mechanism, so can only infect ELF files to which the user infected has write permission.
Threat ~0.

Looks like it spread to root from a user account in this case. Threat is
obviously somewhat greater than 0. Caution and good practices are still

There's no evidence that the virus escalated its own privilege. More likely that a root process executed an infected binary.

Moral of the story - don't execute binaries installed during a break-in just to see what they do, especially when logged in as root - and don't have "." in root's path!

Nigel Wade, System Administrator, Space Plasma Physics Group,
            University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw ion le ac uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]