[wplug] Breakin attempts against the nobody account
Tom Rhodes
trhodes at FreeBSD.org
Tue Mar 29 16:01:40 EST 2005
On Tue, 29 Mar 2005 10:39:14 -0500
Chris Ott <cott at acclamation.com> wrote:
>
> Bill Moran wrote:
> > Tom Rhodes <trhodes at FreeBSD.org> wrote:
> >>
> >>It's a script kiddy tacktic that has been flooding the Internet
> >>and seems to be all the rage. As a security focus member, I
> >>can assure you that this has been beat to death on other lists.
> >
> > I'm aware of the tactic, Tom. I'm just confused as to what anyone thinks
> > their going to gain by trying to brute force the nobody account.
>
> Most flavors of Unix still keep their DES-encrypted passwords in the
> "/etc/passwd" file. Brute-forcing those is fairly easy, especially if
> you can grab a copy of the file and work from your own system. Granted,
> the vast majority of machines on the Internet that look like Unix
> machines are actually Linux, these days. However, given that most of
> these attacks are automated, it may still be worth the effort to find
> the rare Unix box.
>
> Just a suggestion...
Welcome to Sendmail. Comes on almost every Unix variant from
AIX to Ultrix; usually enabled by default[1]. If I wanted
a copy of the password file, my first move would be to see
if and what version of sendmail the system was running.
Yet, with all of these stupid scripts going around, I would
think most of the simple password attempts would be ignored
by certain administrators.
[1]: This may have changed.
--
Tom Rhodes
More information about the wplug
mailing list