brute force ssh attack
Aleksandar Milivojevic
amilivojevic at pbl.ca
Fri Apr 29 15:07:07 UTC 2005
Nigel Wade wrote:
> Why? I would be very surprised if it was. It requires infected files to
> be manually transferred from system to system.
The attackers might have used shell access on compromised machine as a
platform to lunch attack to his local network. Or even the automated
tools they uploaded/installed on the compromised machine might have done
that. It is classic approach. The attacker gets access to single
machine. Then he tries to see what else is reachable from it.
That is why when setting honney pot machine, it must be on physically
separate network segment, completely cut off from any other network by
firewall.
Daniel's (Daniel was OP, right?) reasoning was "they can't do much harm
if all they got is user-level shell access". My guess is Daniel already
realized how wrong his reasoning was. You can do lot of nasty things
with user-level shell access.
An analogy would be letting a thief into your house, and locking him in
the room. There's a locked cabinet with some valuables inside that
room. However, your room doors, and lock on the cabinet are certanly no
match to your front door. It is so much easier for thief to get the
stuff from locked cabinet (root access) and move to other rooms
(machines on local network), once he is already inside the house. To
continue with the analogy, honey pot machines are completely separate
houses. They are not rooms inside your house.
Moral of the story (which would be this thread): kids, don't do this at
home.
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the users
mailing list