[unisog] ssh scan heads up

Craig Lant craig at ack.berkeley.edu
Fri Nov 2 19:09:07 GMT 2001


We too were hit with this tool and a few of our machines were rooted. 
We have a copy of the tool and have tuned our IDS to notice the attacks. 
  Interestingly, the rootkit they installed on our systems was the 
GFORCE.PAKiSTAN rootkit.  Don't know if that really means anything 
though since I think that rootkit is publicly available.


                           Craig Lant
-------   Campus Information Systems Security Officer   -------
     -----     University of California, Berkeley     -----
             510-643-0596    craig at ack.Berkeley.edu



Peter Van Epp wrote:

> 	Looks like an automated ssh attack started around a week ago monday.
> I've traced back breakins to two machines here so far to something like this
> (with the addresses obscured to protect the guilty). I expect this is one of
> the ssh prediction attacks but don't have details from the busted machines
> yet. One machine was root kitted and DDOSing (which is what caught it) and 
> the other has a copy of this attack on it and was being used to probe other
> people (which at least one person it probed noticed and reported).
> 
> Mon 10/22 04:06:56      tcp     aaa.b.cc.dd.832   <|   vvv.www.xx.yyy.22    70
>    40      90592     311      RST
> Mon 10/22 04:06:49      tcp     aaa.b.cc.dd.612   <|   vvv.www.xx.yyy.22    70
>    40      90592     311      RST
>    39      89956     363      RST
> Mon 10/22 04:07:17      tcp     aaa.b.cc.dd.731   <|   vvv.www.xx.yyy.22    70
>    40      90592     311      RST
> Mon 10/22 04:06:51      tcp     aaa.b.cc.dd.930   <|   vvv.www.xx.yyy.22    70
>    40      90592     311      RST
> Mon 10/22 04:07:31      tcp     aaa.b.cc.dd.871   <|   vvv.www.xx.yyy.22    70
>    41      90592     311      RST
> Mon 10/22 04:08:09      tcp     aaa.b.cc.dd.902   <|   vvv.www.xx.yyy.22    70
>    40      90592     311      RST
> Mon 10/22 04:07:11      tcp     aaa.b.cc.dd.805   <|   vvv.www.xx.yyy.22    70
>    40      90592     311      RST
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 
> 




More information about the unisog mailing list