[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: spyware on OS X

Subject: Re: spyware on OS X
From: Todd Dailey <email@hidden>
Date: Tue, 14 Sep 2004 16:32:26 -0700
Delivered-to: email@hidden
Delivered-to: email@hidden
User-agent: Mozilla Thunderbird 0.8 (Macintosh/20040913)

Just FYI, the script making the rounds that causes these log entries is this one: http://www.k-otik.com/exploits/08202004.brutessh2.c.php

It's got a small 2,000-word dictionary in this iteration. It would be prudent for everyone with SSH enabled on OSX to scan the list and make sure you aren't using one of the passwords in the list. I personally get several scans a day on my home server from people that appear to be using this script.

- Todd

email@hidden wrote:

It's pretty obvious, especially when the login attempts are serial...

Sep 13 20:41:07 localhost xinetd[296]: START: ssh pid=1669 from=64.246.26.9
Sep 13 20:41:12 localhost sshd[1669]: Illegal user test from 64.246.26.9
Sep 13 20:41:12 localhost xinetd[296]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)
Sep 13 20:41:12 localhost xinetd[296]: START: ssh pid=1671 from=64.246.26.9
Sep 13 20:41:14 localhost sshd[1669]: reverse mapping checking getaddrinfo for ev1s-64-246-26-9.ev1servers.net failed - POSSIBLE BREAKIN ATTEMPT!
Sep 13 20:41:14 localhost sshd[1671]: Illegal user guest from 64.246.26.9
Sep 13 20:41:15 localhost xinetd[296]: service ssh, IPV6_ADDRFORM setsockopt() failed: Protocol not available (errno = 42)

----- In Response To -----

Hi, I don't have any indications of such hacking activity, probably because I use Mac OSX's built-in software firewall. I suppose it would be obvious? What are the messages that make you think you're being guessed at? Something like "attempt to log in as root failed due to too many attempts? Just curious about what's out there. Thanks.


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Scitech mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/scitech/email@hidden

This email sent to email@hidden

--
---
Enterprise Sales Engineer	email:email@hidden
office: 408-974-7766		AIM/iChat:email@hidden

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Scitech mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/scitech/email@hidden

This email sent to email@hidden

References:
	>Re: Re: spyware on OS X (From: email@hidden)

Prev by Date: Re: spyware on OS X
Next by Date: re altivec
Previous by thread: Re: spyware on OS X
Next by thread: Assign Shortcuts in XCode?
Index(es):
- Date
- Thread

Home