A Couple of SSH Brute Force Compromises

Published: 2013-07-25
Last Updated: 2013-07-25 23:26:33 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

One common and stupidly simple way hosts are compromissed is weak SSH passwords. You would think people have learned by now, but evidently there are still enough systems with root passwords like 12345 around to make scanning for them a worthwhile exercise. As a result, one of my favorite honeypot tools is kippo, and we have talked about the tool before. I figured it is a good time again to write a quick update on some recent compromisses

The basic compromisse tends to follow a basic pattern:

- user logs in as root
- looks a bit around the system (uname -a, cpuinfo and the like)
- sometimes performes a bandwidth test by downloading a large file, for example a Windows service pack.
- the installs some kind of rootkit/backdoor/bot
- sometimes adds a user to the system.

Here are some of the recent artifacts:

- a UID 0 user called "cvsroot" (this user CAN be found on normal systems, but not with a UID of 0)
- the usual "hidden" directory name of many spaces (e.g. cd /var/tmp; mkdir "    " )

Here are some of the domains I have seen used to download bots  and other tools from:

bnry.jorgee.nu, anglefire.com/komales88, donjoan.go.ro

One particular interesting attacker actually used a little trick to figure out if the system ran kippo, by installing a non-existing package. If the "apt-get" command is used, kippo will always simulate success, even if the packes wouldn't exist. So our enterprising hacker issued the following command:

apt-get install kippofuck

and of course, kippo pretended to install this package. The attacker of course immediatly disconnected.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: honeypot kippo
3 comment(s)

A couple Site Updates

Published: 2013-07-25
Last Updated: 2013-07-25 23:05:06 UTC
by Johannes Ullrich (Version: 1)
2 comment(s)

We are always trying to tweak the ISC website a bit to make it more useful. This week, we moved live a couple new features and are looking for feedback. Note that these features do require you to log in to take advantage of them.

- Our news page got reorganized again. I am not sure if we got it "right" yet, but I think it is now more useable. The goal is to allow users to "rank" news to make the feed overall more relevant. Once you are logged in, you will see a "+1" button to add your weight to an article.

- We made the diary comments a bit more interactive by integrating them with a forum to allow for threaded discussions / quotes and the like. There are now also some generic security categories for other discussions and a section to comment on current news.

For any feedback, please use the comment form.

Thanks.

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: isc
2 comment(s)
ISC StormCast for Thursday, July 25th 2013 http://isc.sans.edu/podcastdetail.html?id=3439

Comments


Diary Archives