[wplug] Breakin attempts against the nobody account

Bill Moran wmoran at potentialtech.com
Tue Mar 29 09:37:12 EST 2005 

Tom Rhodes <trhodes at FreeBSD.org> wrote:

> On Mon, 28 Mar 2005 10:03:36 -0500
> Bill Moran <wmoran at potentialtech.com> wrote:
> 
> > 
> > I'm sure I'm not the only one seeing this.  I constantly have jackasses
> > trying to ssh in to my server, in the hopes that I've chosen a really
> > stupid password for an account.  Usually this is against root, and I'm
> > guessing such an attack yields a frighteningly high number of successes
> > when applied against 1000s of machines.
> > 
> > However, I occasionally see the attempt against other accounts ... last
> > night it was against "nobody".  This surprises me, as any system I've
> > every seen has the "nobody" account disabled by default, so such an
> > approach would be pretty much a waste of time.
> > 
> > My question is: Are there systems out there with an unsecured "nobody"
> > account by default?  Or are there installation profiles that enable the
> > "nobody" account?
> > 
> > I'm just curious, since I'm not familiar with any way this would ever
> > work.
> 
> It's a script kiddy tacktic that has been flooding the Internet
> and seems to be all the rage.  As a security focus member, I
> can assure you that this has been beat to death on other lists.

I'm aware of the tactic, Tom.  I'm just confused as to what anyone thinks
their going to gain by trying to brute force the nobody account.

Apparently, there are a number of variants of this script.  The most common
seems to try three passwords against root and move on.  Another variant
tries root, nobody and operator.  Another variant tries 20 or so passwords
against root and a few against some other accounts.

My question was (really) whether anyone has ever seen the attacks against
nobody succeed, or knows of any installation profiles where it would
succeed.

> 
> Here is how it works:
> 
> Script kiddy get's access to a machine on the net (or, if he's
> a moron, does it from his own machine).
> 
> They install a script that checks random IPs for sshd, finding
> one, it makes a connection.  This connection will attempt to
> log into the following accounts:
> 
> operator
> root
> mysql
> www
> nobody
> games
> ...
> 
> Said script, if access is granted, attempts to run a perl backhoe
> on that machine (sometimes) and sends an email to the originator.
> Said email provides IP, account, and password which allows entry
> to script kiddy.
> 
> If you're like me, then each of those accounts are blocked any
> external entry and many of them completely disabled.
> 
> If a script kiddy gets access to your machine in this way,
> since they're basic passwords (god?), you deserve it as well
> as a verbal thrashing in public.
> 
> -- 
> Tom Rhodes


-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com

More information about the wplug mailing list