[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    FW: [Intrusions] Linux SSH scanning - test/guest
From:       "M Shirk" <shirkdog_linux () hotmail ! com>
Date:       2004-07-30 11:22:45
Message-ID: BAY19-F13apzhad2VqK00082dbd () hotmail ! com
[Download RAW message or body]

This is from the ISC's mailling and is relevant here:

Subject: [Intrusions] Linux SSH scanning - test/guest
Importance: Low

FYI

We got zapped by some hackers from, I think, Romania that have a
priv escalation exploit for Linux 2.4.20
http://sirzion.illusivecreations.com/loginxy

There is also a multithreaded SSH bruteforcer called "haita"
This attempts to login to machines using the accounts "test" and "guest",
with passwords "test" & "guest" respectively. It runs from a file
of addresses found by a synscan program. It identifies itself as
SSH-2.0-libssh-0.1

So, SSH login failures for test & guest are an indication of this
thing running at the remote end.

The two names & passwords appear to be hardcoded into the program.
Since Linux as I recall backs off after failed attempts there wouldn't be
much to gain by trying many more names, but variants may appear with other
defaults.

--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security@triumf.ca
_______________________________________________

_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page – FREE 
download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/

[prev in list] [next in list] [prev in thread] [next in thread]