Re: Hack attempts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Sa, den 24.07.2004 schrieb Scot L. Harris um 15:46:

> >     Edwin> The last two days i got bugged by someone from korea and
> >     Edwin> someone from japan.  his is what i find in my LogWatch :
> >     Edwin> --------------------- SSHD Begin ------------------------
> > 
> > 
> >     Edwin> Failed logins from these: guest/password from
> >     Edwin> ::ffff:211.119.136.170: 1 Time(s) test/password from
> >     Edwin> ::ffff:211.119.136.170: 1 Time(s)
> > 
> >     Edwin> Illegal users from these: guest/none from
> >     Edwin> ::ffff:211.119.136.170: 1 Time(s) guest/password from
> >     Edwin> ::ffff:211.119.136.170: 1 Time(s) test/none from
> >     Edwin> ::ffff:211.119.136.170: 1 Time(s) test/password from
> >     Edwin> ::ffff:211.119.136.170: 1 Time(s)
> > 
> >     Edwin> is this a known hack attempt by some sort of program ?
> >     Edwin> because for both tries the same usernames have been tried
> >     Edwin> to use : guest and test

> Are you using DSL or cable modem?  If so you really should invest in a
> cheap hardware router.  It is amazing how much that will protect you.
> 
> You may want to block that IP address in iptables just to be on the safe
> side.  
> 
> Most likely a script kiddie running some software they found.

> Scot L. Harris

Certainly some scripts kids active. I had investigated now a couple of
machines from where these attempts reached me or friends hosts. This is
what I can conclude:

1) The machines from where these attempts come are already hacked: they
have a rootkit running which lets run an SSHD version 1.2.25 on a high
port. Most often there is a telnet daemon running too.

2) Most of the hacking machines have an old and vulnerable SSHD running.

3) They have too an old and vulnerable kernel running.

4) Many of the machines are older Redhat releases, I saw a lot of RH8.

5) The script connecting on SSH with user test and guest is checking the
SSH version and how the SSH reacts besides the plain version reply. This
way it can find out whether the host is a good target for the second
step.

6) I was on one hacking host because the rootkit on it - Fuck'it Rootkit
- had the default password (rootme) and I tried to find out more details
about what the kids do. I found scripts doing the SSH connection tests
and also a list of target IPs the script automatically send to a
Romanian email address. The admins of the host were absolutely clueless
- astonishing it was a central host of a Pakistanian internet provider,
holding radius data, data about customers and their usage of the
services they offer. The host was a default Redhat 8 host with not any
update package installed! Unfortunately all my mail to administrative
addresses I found out by whois data came back, so I had to inform them
by modifying the /etc/motd and kicking the real root some time, so they
had chance to read the motd information. At all it took more than 24
hours until they finally closed the bad hole. Though I am not sure they
really changed anything on the host so that in future any further hack
over the vulnerable SSHD can take place.

Finally: firewalling is certainly a very good thing - but most important
is to keep the system as much up to date as it is possible!

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.7-1.494.2.2smp 
Serendipity 14:23:38 up 2 days, 7:51, load average: 0.51, 0.35, 0.20 

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux