brute force ssh attack

John Summerfied debian at herakles.homelinux.org
Wed May 4 00:43:08 UTC 2005 

Matthew Miller wrote:
> On Wed, Apr 27, 2005 at 05:14:51PM +0200, Daniel Kirsten wrote:
> 
>>Yesterday, I examined the directory ~daikanyama/.undernet and probably I 
>>executed mech as root. The file mech is indeed infected by Linux/Rst-B.   
>>This explains everything.......
>>Does anyone know whether .undernet/mech has another purpose than 
>>distributing the Linux/Rst-B virus???
> 
> 
> It looks like an IRC bot. I imagine the script kiddies who broke into your
> machine weren't even aware that the files are infected. (Or maybe, they were
> hoping you'd find them and execute them and make the virus spread to root,
> giving them a backdoor. But I bet that's giving too much credit.)
> 

mech is an IRC bot, it's available for download from its website. A 
while ago I had a Debian box cracked and mech was installed in, I think, 
some place under /var/spool/cron.

Complying with the GPL, the cracker included the source code for mech:-)

This actually happened to the same box twice - my first effort and 
sanitising was ineffective.

The cracker installed a set of binaries in /bin that caused the system 
to not work, consquently I discovered the crack within hours.

Someone in .mx infiltrated another box I manage (also Debian) via a user 
account, installed an IRC bot and other stoff and promptly used our 
system to attempt to crack others.

The kit includes attempts to crack various RH (and I think FC) releases 
plus (I think) SuSE and/or Mandrake. There was one for Debian, but not 
our kernel.

The cracks I've seen send email to someone at hotmail (or yahoo!) with 
information including the IP address of eth0.

None of the boxes I manage have public IP addresses on eth0 - those are 
assigned to ADSL routers or ppp0; in some cases I have the IP address 
also on a dummy interface to simplify routing issues (the Billions don't 
cope well with traffic aimed at their external IP address appearing from 
inside the network).

Probably, none of the cracks work if you keep your software up2date. 
Running Debian seems to help too:-)



-- 

Cheers
John

-- spambait
1aaaaaaa at computerdatasafe.com.au  Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/

More information about the fedora-list mailing list