brute force ssh attack
Daniel Kirsten
Daniel.Kirsten at gmx.net
Wed Apr 27 11:26:03 UTC 2005
Hallo,
there are numerous brute force ssh attacks in the web.
I was quite curious, and for fun, I created the typical
user accounts and set easy to guess passwords....
Yesterday, such a ssh login was successful for users
kevin and daikanyama. The hackers changed the passwords
for both logins. They installed a certain program
"undernet" as daikanyama and started a program called mech.
After some minutes, I removed the network cable, killed
all the processes of the users and disabled these users.
Then, I figured out that some programs as grep did not work.
I rebooted the machine, but during the reboot I got
various "segmentation faults", "illegal instructions", ....
I booted from an FC3 rescue CD, and I found out that
various executables in /bin and /user/bin where
manipulated (grep, egrep, gzip, rpm, mount, ...).
I replaced these manipulated executlables by original
files, but I forgot to replace gtbl.
Then, the machine booted correctly. Later when gtbl
was called, some executables in /bin and /user/bin
where manipulated. It seems to be some virus, when
you start a manipulated executable it manipulates
other executables.
I managed to replace all manipulated files and the
machine seems to work correctly.
My question is: They did not guess the root password,
how did they manipulate files which are only writable
by root???
Is anyone interested in log-files or in the programs
which the hackers installed under daikanyama?
Best regards, Daniel
--
+++ Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl
More information about the users
mailing list