[wplug] Breakin attempts against the nobody account

[Tom Rhodes]

On Mon, 28 Mar 2005 10:03:36 -0500
Bill Moran <wmoran at potentialtech.com> wrote:

> 
> I'm sure I'm not the only one seeing this.  I constantly have jackasses
> trying to ssh in to my server, in the hopes that I've chosen a really
> stupid password for an account.  Usually this is against root, and I'm
> guessing such an attack yields a frighteningly high number of successes
> when applied against 1000s of machines.
> 
> However, I occasionally see the attempt against other accounts ... last
> night it was against "nobody".  This surprises me, as any system I've
> every seen has the "nobody" account disabled by default, so such an
> approach would be pretty much a waste of time.
> 
> My question is: Are there systems out there with an unsecured "nobody"
> account by default?  Or are there installation profiles that enable the
> "nobody" account?
> 
> I'm just curious, since I'm not familiar with any way this would ever
> work.

It's a script kiddy tacktic that has been flooding the Internet
and seems to be all the rage.  As a security focus member, I
can assure you that this has been beat to death on other lists.

Here is how it works:

Script kiddy get's access to a machine on the net (or, if he's
a moron, does it from his own machine).

They install a script that checks random IPs for sshd, finding
one, it makes a connection.  This connection will attempt to
log into the following accounts:

operator
root
mysql
www
nobody
games
...

Said script, if access is granted, attempts to run a perl backhoe
on that machine (sometimes) and sends an email to the originator.
Said email provides IP, account, and password which allows entry
to script kiddy.

If you're like me, then each of those accounts are blocked any
external entry and many of them completely disabled.

If a script kiddy gets access to your machine in this way,
since they're basic passwords (god?), you deserve it as well
as a verbal thrashing in public.

-- 
Tom Rhodes