[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] SSH EXPLOIT IN THE WILD
- Subject: Re: [cobalt-users] SSH EXPLOIT IN THE WILD
- From: Larry Smith <lesmith@xxxxxxxxx>
- Date: Thu Sep 18 20:39:01 2003
- Organization: ECSIS
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
On Thursday 18 September 2003 13:38, Chris wrote:
> <snip>
> If put in hosts.allow, it will send an email for every SSH connection
> "allowed", if put in hosts.deny it will send an email for every connection
> denied.
> <snip>
> #### CUT HERE ##########
> #!/bin/sh
> #
> # Security Notes SHELL
> ###############################################################
> #sshd: ALL : spawn /usr/local/etc/secnotes "%a+%A+%c+%d+%h+%H+%s+%u" & :
> DENY
> #
> DT1=`date`
> TMP="${1}" ## Save input
> LHOST=`uname -n` ## Get local name
> ## Now set input as argument list
> set -- `echo ${1} | tr -s "+" " "`
> ## Now send message based on input args...
> cat << !EOF! | /bin/mail -s "Wrappers: $1 $LHOST == $7" root > /dev/null
> 2>&1
>
> SECURITY NOTES - ATTEMPTED CONNECTION
> DATE: $DT1
>
> PORT: $4
> SERVER: ($7)
> CONNECTION: ($3)
> ON: $6:$2
> BY: $5:$1
> as USER: $8
>
> !EOF!
>
> exit
> ##### CUT HERE ###########
>
> Enjoy....
>
> --
> Larry Smith
> SysAd ECSIS.NET
> sysad@xxxxxxxxx
>
> Great script. Where do you modify it so that you are not receiving system
> checks every 15 minutes?
> SECURITY NOTES - ATTEMPTED CONNECTION
> DATE: Thu Sep 18 11:30:05 PDT 2003
>
> PORT: sshd
> SERVER: (sshd@xxxxxxxxx)
> CONNECTION: (127.0.0.1)
> ON: 127.0.0.1:127.0.0.1
> BY: 127.0.0.1:127.0.0.1
> as USER: root
>
> Thanks,
> Chris
>
Chris, et al.
Just prior to the line for SSHD in your hosts.allow, add a line for
ALL : ALL : locahost
(which is 127.0.0.1) which should clear that.
--
Larry Smith
SysAd ECSIS.NET
sysad@xxxxxxxxx