Re: [SLUG] Crack Attempts

From: Mike Branda (mike@wackyworld.tv)
Date: Mon Jul 18 2005 - 13:11:16 EDT


On Fri, 2005-07-15 at 12:00 -0400, Josh Bowers wrote:
> Steven Buehler wrote:
> >
> > On Jul 15, 2005, at 11:26 AM, John Pugh wrote:
> >
> >> FYI...most of these "attacks" come from already hacked
> >> computers so retaliation might be directed towards the wrong people.
> >
> >
> > The is also the possibility that the attacking computer has a forged IP
> > or is doing so through a proxy.

This started happening to me at the office about a year ago. My
research back then never showed the same originating IP twice so I gave
up on trying to track it. A combo of things fixed it and the logs have
been quiet since. I denied root access, rolled the ssh port to a
different unused high port (hopefully out of the common scanning
range...who's gonna scan everything from 1025-65535?), and since I
needed the ssh capabilities, I clamped down hosts.allow/deny to only 1
originating source IP....mine at home.

>
> I had these a couple of weeks ago and looked into it. It is probably
> someone's rooted box running an SSH brute force cracker.
>

This is the conclusion I came to back then too. Here's a site that has
the code from one such brute force script. Maybe it'll help the counter
combat attempts.

http://www.frsirt.com/exploits/08202004.brutessh2.c.php

Originally an article I read said that the usernames that were being
used at the time were default Solaris (I think) usernames of nobody,
test and guest. I thought only M$ was looney enough to include such
generic usernames.

HTH.

Mike Branda Jr.

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:58:13 EDT