[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Automated SSH login attempts?

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Re: Automated SSH login attempts?
From: dmargoli@xxxxxxxxxx
Date: Thu, 29 Jul 2004 18:18:01 -0400

Max Valdez wrote:

doesnt make any sense

That way you should have root on the first box to start exploiting others, kind of weird.

smells like rootkit downloader to me.

Anybody willing to make a strace of this program ??

Max

A previous poster mentioned that after exploiting a test/test or guest/guest account, an attacker downloaded SuckIt to his machine, got root using some unspecified local vuln (he said it was a very unpatched mcahine), and started from there.

The program IS linked against OpenSSL and appears to inintiate an ssh connection with the target(s) in a separate text file (uniq.txt). I can't follow the connection because of the encryption, but it seems to be trying a user and then disconnecting (as in, I see nothing really obviously out of the ordinary when I run it). Haven't got farther in disassembling it yet.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Re: Automated SSH login attempts?
  - From: Stefan Janecek
- Re: [Full-Disclosure] Re: Automated SSH login attempts?
  - From: Andrei Galca-Vasiliu
- Re: [Full-Disclosure] Re: Automated SSH login attempts?
  - From: Max Valdez

Prev by Date: RE: [Full-Disclosure] Cool Web Search
Next by Date: Re: [Full-Disclosure] Re: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple Vulnerabilities in Sendmail
Previous by thread: Re: [Full-Disclosure] Re: Automated SSH login attempts?
Next by thread: Re: [Full-Disclosure] Re: Automated SSH login attempts?
Index(es):
- Date
- Thread