brute force ssh attack

[Daniel Kirsten]

Hallo, 

there are numerous brute force ssh attacks in the web.  
I was quite curious, and for fun, I created the typical 
user accounts and set easy to guess passwords.... 

Yesterday, such a ssh login was successful for users
kevin and daikanyama.     The hackers changed the passwords 
for both logins.   They installed a certain program  
"undernet" as daikanyama and started a program called mech. 

After some minutes, I removed the network cable, killed 
all the processes of the users and disabled these users.

Then, I figured out that some programs as grep did not work. 
I rebooted the machine, but during the reboot I got 
various "segmentation faults", "illegal instructions", ....

I booted from an FC3 rescue CD, and I found out that 
various executables in /bin and /user/bin where 
manipulated (grep, egrep, gzip, rpm, mount, ...). 
I replaced these manipulated executlables by original 
files, but I forgot to replace gtbl. 

Then, the machine booted correctly.  Later when gtbl 
was called, some executables in /bin  and /user/bin 
where manipulated.  It seems to be some virus, when 
you start a manipulated executable it manipulates 
other executables.  

I managed to replace all manipulated files and the 
machine seems to work correctly. 

My question is:  They did not guess the root password, 
how did they manipulate files which are only writable 
by root???

Is anyone interested in log-files or in the programs 
which the hackers installed under daikanyama?

Best regards,  Daniel

-- 
+++ Sparen beginnt mit GMX DSL: http://www.gmx.net/de/go/dsl