On Fri, 2004-08-06 at 08:44, Alexander Dalloz wrote: > Certainly some scripts kids active. I had investigated now a couple of > machines from where these attempts reached me or friends hosts. This is > what I can conclude: > > 1) The machines from where these attempts come are already hacked: they > have a rootkit running which lets run an SSHD version 1.2.25 on a high > port. Most often there is a telnet daemon running too. > > 2) Most of the hacking machines have an old and vulnerable SSHD running. > > 3) They have too an old and vulnerable kernel running. > > 4) Many of the machines are older Redhat releases, I saw a lot of RH8. > > 5) The script connecting on SSH with user test and guest is checking the > SSH version and how the SSH reacts besides the plain version reply. This > way it can find out whether the host is a good target for the second > step. > > 6) I was on one hacking host because the rootkit on it - Fuck'it Rootkit > - had the default password (rootme) and I tried to find out more details > about what the kids do. I found scripts doing the SSH connection tests > and also a list of target IPs the script automatically send to a > Romanian email address. The admins of the host were absolutely clueless > - astonishing it was a central host of a Pakistanian internet provider, > holding radius data, data about customers and their usage of the > services they offer. The host was a default Redhat 8 host with not any > update package installed! Unfortunately all my mail to administrative > addresses I found out by whois data came back, so I had to inform them > by modifying the /etc/motd and kicking the real root some time, so they > had chance to read the motd information. At all it took more than 24 > hours until they finally closed the bad hole. Though I am not sure they > really changed anything on the host so that in future any further hack > over the vulnerable SSHD can take place. > > Finally: firewalling is certainly a very good thing - but most important > is to keep the system as much up to date as it is possible! > > Alexander Just be careful trying to fix root'ed hosts yourself. I would hate to see you get in trouble. BTW: Nice trick with the motd. :) -- Scot L. Harris webid@xxxxxxxxxx You put the disk in upside down.
