[WBEL-users] SSH Hack/Login attempts
Johnny Hughes
mailing-lists@hughesjr.com
Sun, 08 Aug 2004 10:02:52 -0500
On Sun, 2004-08-08 at 08:39, Jeff Maze wrote:
> Hello,
> I was wondering if there's a way to block some user names/accounts
> from attempting to be logged into via SSH. Lately, over the last week or
> so, I've seen a lot of login attempts via test, admin, and guest accounts.
> I have the PermitRootLogin=No in the sshd_conf file but was wondering if I
> add the above mentioned accounts, they won't even get a password prompt.
> Thanks..
>
> Oh yea, there aren't admin, test, nor guest accounts created on the machine
> but they keep trying to use them to login.
>
This is happening everywhere, here are some references:
http://thread.gmane.org/gmane.linux.gentoo.security/1466
http://thread.gmane.org/gmane.comp.security.incidents/4969
http://thread.gmane.org/gmane.linux.redhat.general/77870
http://thread.gmane.org/gmane.comp.security.full-disclosure/23716
http://thread.gmane.org/gmane.user-groups.linux.ilug.general/11030
http://thread.gmane.org/gmane.comp.security.intrusions/5768
So it seems to me there was/is a vulnerability in SSH and/or
apache/mod_ssl that was initially exploited by some people, who used a
rootkit that created a usernames of test, admin, guest on the affected
machines ... and there are now scanners looking to use those usernames
to break into machines.
I verified that all the attempts to login failed in my logs and
installed and ran chkrootkit on all my Internet facing machines.
chkrootkit can be installed from Dag's site via yum (
http://dag.wieers.com/home-made/apt/FAQ.php#B3 ) or downloaded from
here:
http://apt.sw.be/redhat/el3/en/i386/RPMS.dag/
it is named: chkrootkit-0.43-2.rhel3.dag.i386.rpm
Johnny Hughes
HughesJR.com