[wplug] Breakin attempts against the nobody account

Tom Rhodes trhodes at FreeBSD.org
Tue Mar 29 15:58:47 EST 2005 

On Tue, 29 Mar 2005 09:37:12 -0500
Bill Moran <wmoran at potentialtech.com> wrote:

> Tom Rhodes <trhodes at FreeBSD.org> wrote:
> 
> > On Mon, 28 Mar 2005 10:03:36 -0500
> > Bill Moran <wmoran at potentialtech.com> wrote:
> > 
> > > 
> > > I'm sure I'm not the only one seeing this.  I constantly have jackasses
> > > trying to ssh in to my server, in the hopes that I've chosen a really
> > > stupid password for an account.  Usually this is against root, and I'm
> > > guessing such an attack yields a frighteningly high number of successes
> > > when applied against 1000s of machines.
> > > 
> > > However, I occasionally see the attempt against other accounts ... last
> > > night it was against "nobody".  This surprises me, as any system I've
> > > every seen has the "nobody" account disabled by default, so such an
> > > approach would be pretty much a waste of time.
> > > 
> > > My question is: Are there systems out there with an unsecured "nobody"
> > > account by default?  Or are there installation profiles that enable the
> > > "nobody" account?
> > > 
> > > I'm just curious, since I'm not familiar with any way this would ever
> > > work.
> > 
> > It's a script kiddy tacktic that has been flooding the Internet
> > and seems to be all the rage.  As a security focus member, I
> > can assure you that this has been beat to death on other lists.
> 
> I'm aware of the tactic, Tom.  I'm just confused as to what anyone thinks
> their going to gain by trying to brute force the nobody account.
> 
> Apparently, there are a number of variants of this script.  The most common
> seems to try three passwords against root and move on.  Another variant
> tries root, nobody and operator.  Another variant tries 20 or so passwords
> against root and a few against some other accounts.
> 
> My question was (really) whether anyone has ever seen the attacks against
> nobody succeed, or knows of any installation profiles where it would
> succeed.

They obviously succeed.  I've heard reports of it, some dumb
admin doesn't do account security properly and boom, issue.
In some cases, it's a junior admin's ``mistake'' which opens
the box up.

Remeber your readings?  The hacker crackdown, the artificial
kid, and many others.  There are those out there who have nothing
better to do than try every list of IP addresses they can think
of.  With each IP address, they try a handful of ``common
passwords'' and move on.  Back in those days, we didn't call
them script kiddies, they were actually called hackers.  And
the fine line drawn between hacker and cracker was:

``Crackers would eventually get in.  They would evaluate
every type of software running on the machine in order to
find a hole.  Hackers were just people selected a variety
of targets, played for a small amount of time, and then
move on.''[1]

[1]: The Hacker Crackdown  (IIRC, I lent my copy to someone
     and never seen it again.)

-- 
Tom Rhodes

More information about the wplug mailing list