brute force ssh attack
Nigel Wade
nmw at ion.le.ac.uk
Wed Apr 27 16:21:45 UTC 2005
Matthew Miller wrote:
> On Wed, Apr 27, 2005 at 03:50:57PM +0100, Nigel Wade wrote:
>
>>Number of infections 0-49, number of sites 0-2 - over 3 years.
>>Wow, it's speading like wildfire... help, help!
>>It has no escalation mechanism, so can only infect ELF files to which the
>>user infected has write permission.
>>Threat ~0.
>
>
> Looks like it spread to root from a user account in this case. Threat is
> obviously somewhat greater than 0. Caution and good practices are still
> required.
>
There's no evidence that the virus escalated its own privilege. More likely
that a root process executed an infected binary.
Moral of the story - don't execute binaries installed during a break-in just
to see what they do, especially when logged in as root - and don't have "."
in root's path!
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw at ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
More information about the users
mailing list