Security Incidents mailing list archives

Re: SSH attacks?

From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Thu, 29 Jul 2004 15:03:21 -0400

On Wed, 2004-07-28 at 15:05, Jyri Hovila wrote:


It seems that at least one host has been rooted somehow relating to the
scans we're seeing:

http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999~start=60


More than just one. I'm willing to bet every source IP that hits you was
compromised the same way.

One interesting tid bit I've noticed is that every source IP I've
checked had SQL listening. Not sure if its related or a coincidence.

I'm pretty sure there is a new SSH exploit around. At least this clearly
isn't a brute force attack.


I guess I don't see how you are drawing that conclusion. To quote from
the link you provided above:

[QUOTE]
Jul 12 22:26:51 server sshd[12868]: Accepted password for test from
130.15.15.239 port 1954 ssh2
Jul 12 22:42:35 server sshd[13998]: Accepted password for test from
216.55.164.10 port 56454 ssh2
[/QUOTE]

IMHO this *is not* an exploit, but rather a connection due to a poor
password policy for the user "test" (in other words, this is classic
brute force). You could be running an outdated SSH version, use good
passwords, and be totally safe from this type of attack (not that I'm
advocating running outdated software, just trying to make a point).

As we are seeing lots of scans, but only few
rooted hosts, it really doesn't look like a worm either. Someone seems
to be scanning for vulnerable SSH daemons, obviously using previously
rooted hosts, and then roots vulnerable hosts of his/her choice
manually.


Based on the info I've seen, I believe the brute force portion is
automated while the actual toolkit install and "rooting" is being done
manually. It looks too much like a newbie fumbling around.

As I wrote in my previous message, I think it's a good choise to limit
access to SSH until this issue is solved.


Always a good idea, but if it was me I would grab a copy of John The
Ripper, the passwd & shadow files, and ensure you are using decent
password on all of your accounts.

HTH,
Chris

Current thread:

Re: SSH attacks?, (continued)
- - - Re: SSH attacks? Pieter-Bas IJdens (Jul 30)
    - Re: SSH attacks? Frank Knobbe (Jul 30)
    - Re: SSH attacks? Jay D. Dyson (Jul 30)
    - Re: SSH attacks? Frank Knobbe (Jul 31)
    - Re: SSH attacks? mgotts (Jul 31)
    - Re: SSH attacks? Steve Schuster (Jul 29)
    - Re: SSH attacks? Merlijn Tishauser (Jul 30)
- Re: SSH attacks? Tom Laermans (Jul 27)
- Re: SSH attacks? buzz (Jul 27)
  - Re: SSH attacks? Jyri Hovila (Jul 29)
    - Re: SSH attacks? Chris Brenton (Jul 29)
    - Re: SSH attacks? Valdis . Kletnieks (Jul 30)
    - Re: SSH attacks? Thomas Hochstein (Jul 30)
    - Re: SSH attacks? Matt Beland (Jul 30)
  - Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jason Falciola (Jul 27)
- Re: SSH attacks? Paul Schmehl (Jul 27)
- Re: SSH attacks? brandy (Jul 28)
  - Re: SSH attacks? Andrew J Caines (Jul 29)
    - Re: SSH attacks? Marcus Merrin (Jul 29)
    - Re: SSH attacks? Robin (Jul 30)

(Thread continues...)