[Tfug] Anybody here(sic) of a new SSH vulnerability?
Brian Murphy
murphy+tfug at email.arizona.edu
Wed Jul 28 12:03:34 MST 2004
You're most likely seeing probing done by a botnet looking for infected
hosts. There are several old attack vectors for linux systems that not
everyone has patched. (i.e. mremap for kernel[1])
Once these programs get in, they'll install a rootkit like SucKIT.
Rootkits can do many things, including installing a trojaned sshd.
To be safe, be up to date on all of your vendor patches. If you suspect
a breakin, tools like chkrootkit[2] and the coroner's toolkit[3] can
help determine the extent of the problems.
Arm yourself with a host based intrusion detection system (like
tripwire[4]) to know when someone has compromised your system.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0077
[2] http://www.chkrootkit.org
[3] http://www.porcupine.org/forensics/tct.html
[4] http://www.tripwire.org
Brian
Quoting Choprboy <choprboy at dakotacom.net>:
> Anybody here anything more on this? I still haven't seen anything on
> SecurityFocus, etc... And I'm still getting hit multiple times every day on
> various server accross the country.
>
> Logwatch daily logs look like:
> Illegal users from these:
> admin/none from 219.120.54.178: 2 Time(s)
> admin/password from 219.120.54.178: 2 Time(s)
> guest/none from 216.99.211.35: 1 Time(s)
> guest/none from 219.120.54.178: 1 Time(s)
> guest/password from 216.99.211.35: 1 Time(s)
> guest/password from 219.120.54.178: 1 Time(s)
> test/none from 216.99.211.35: 1 Time(s)
> test/none from 219.120.54.178: 2 Time(s)
> test/password from 216.99.211.35: 1 Time(s)
> test/password from 219.120.54.178: 2 Time(s)
> user/none from 219.120.54.178: 1 Time(s)
> user/password from 219.120.54.178: 1 Time(s)
>
>
> Adrian
> _______________________________________________
> tfug mailing list
> tfug at tfug.org
> https://www.tfug.org/mailman/listinfo/tfug
The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of
Arizona.
More information about the tfug
mailing list