Last week I was asked to help a friend to check out his server that has been hacked. First I was thinking some kind of PHP leak or SQL injection. But I was wrong. The crack uses some kind of SSH user/password scanner and got his root password.
I find this out because the cracker created a new user on his server, and runs the password scanner on his server to gain access to more servers.
The cracker deleted the C source code of the scanner, but left some shell scrip running. And here is how it works: The scanner got a pretty large username/password match database, and the scanner will run through this database against all the computers online. Pretty simple, hmmm? And with some simple tricks, like scan those machines has SSH connection with the current machine, it get pretty efficient.
The thing scares me most is that they’ve got a really large database. Not only the usual words in dictionary or simply phases like “letmein”, I saw things like “mima” which is the Chinese pronunciation of “password”. There are also some password that I think from other langnuages.
And my friend confirmed his sys admin used to use some really simple password. So, use SSH2 key auth whenever you got a chance, and when you have to use a password, nomatter on SSH or not, never think your password is complicated enough.