[Plug-security] & The Beat Goes On
Lisa Kachold
lisakachold at obnosis.com
Wed Sep 25 17:45:56 MST 2013
More fun (although I have reported all these attempts to each of the
technical contacts for each of the swip'd IP addresses.
But if we were going to attempt to exploit this hacker's domain (although
we know it is illegal and there are consequences) we would use any of the
following:
SSH exploits - brute force dictionary attacks (examples:
http://it-clowns.com/c/files/drawer/augusthackfest-ssh.txt )
Metasploit/Armitage which should allow us to automatically pwn this system.
root at fly-obnosis-com asil]# nmap 14.139.229.42
Starting Nmap 6.25 ( http://nmap.org ) at 2013-09-25 17:16 MST
Nmap scan report for 14.139.229.42
Host is up (0.34s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1666/tcp open netview-aix-6
5989/tcp open wbem-https
Nmap done: 1 IP address (1 host up) scanned in 26.54 seconds
[root at fly-obnosis-com asil]#
What is the commonality of all of these systems?
Unpatched daemons open running without adequate controls and protections:
source and destination port based iptables
denyhosts
known exploitable systems ports open (135-139-445)
---------- Forwarded message ----------
From: DenyHosts <nobodymail.obnosis.com at mail.localdomain>
Date: Wed, Sep 25, 2013 at 8:40 AM
Subject: DenyHosts Report from mail
To: lisakachold at obnosis.com
Added the following hosts to /etc/hosts.deny:
14.139.229.42 (unknown)
----------------------------------------------------------------------
--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com <http://it-clowns.com/c/>
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20130925/1e2c4475/attachment.html>
More information about the Plug-security
mailing list