[unisog] New worm?

Dan Riley dsr at mail.lns.cornell.edu
Sun Apr 17 22:10:38 GMT 2005

Pete Hickey <pete at shadows.uottawa.ca> writes:
> We've had a couple Unix boxes compromised.  A dictionary (userid/password)
> attack on ssh.  Once he gets a good password, a program is run,
> which does the same thing against other machines.

As others have mentioned, large scale brute force ssh password
scanning has been going on for almost a year.  We see them from all
over.  I have noticed significant overlap between the accounts being
attacked and the accounts used on compromised systems to send the
flood of wamu|keybank|northforkbank|southtrust|bankofthewest etc.
phishing spams.  Many of the web sites for these phishing attempts
are also on apparently compromised systems.

> There is no attempt at trying to cover tracks:  no rootkit
> installed, logs intact, etc.  The process is not run as root,
> but as the user for which the password was guessed.  This
> type of behavior makes me think it is a worm, rather than
> someone doing a one-off hack.

It's definitely not one-off, but it also doesn't look like a
fully automated worm--my guess is semi-automated.  As for the
lack of stealth, what that says to me is that they have enough
systems where no one notices the most obvious intrusions that
the extra cost of hiding their tracks isn't worth it.


More information about the unisog mailing list