Security Incidents mailing list archives
Re: SSH attacks?
From: Chris Brenton <cbrenton () chrisbrenton org>
Date: Thu, 29 Jul 2004 15:03:21 -0400
On Wed, 2004-07-28 at 15:05, Jyri Hovila wrote:
It seems that at least one host has been rooted somehow relating to the scans we're seeing: http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999~start=60
More than just one. I'm willing to bet every source IP that hits you was compromised the same way. One interesting tid bit I've noticed is that every source IP I've checked had SQL listening. Not sure if its related or a coincidence.
I'm pretty sure there is a new SSH exploit around. At least this clearly isn't a brute force attack.
I guess I don't see how you are drawing that conclusion. To quote from the link you provided above: [QUOTE] Jul 12 22:26:51 server sshd[12868]: Accepted password for test from 130.15.15.239 port 1954 ssh2 Jul 12 22:42:35 server sshd[13998]: Accepted password for test from 216.55.164.10 port 56454 ssh2 [/QUOTE] IMHO this *is not* an exploit, but rather a connection due to a poor password policy for the user "test" (in other words, this is classic brute force). You could be running an outdated SSH version, use good passwords, and be totally safe from this type of attack (not that I'm advocating running outdated software, just trying to make a point).
As we are seeing lots of scans, but only few rooted hosts, it really doesn't look like a worm either. Someone seems to be scanning for vulnerable SSH daemons, obviously using previously rooted hosts, and then roots vulnerable hosts of his/her choice manually.
Based on the info I've seen, I believe the brute force portion is automated while the actual toolkit install and "rooting" is being done manually. It looks too much like a newbie fumbling around.
As I wrote in my previous message, I think it's a good choise to limit access to SSH until this issue is solved.
Always a good idea, but if it was me I would grab a copy of John The Ripper, the passwd & shadow files, and ensure you are using decent password on all of your accounts. HTH, Chris
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? Pieter-Bas IJdens (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 30)
- Re: SSH attacks? Jay D. Dyson (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 31)
- Re: SSH attacks? mgotts (Jul 31)
- Re: SSH attacks? Steve Schuster (Jul 29)
- Re: SSH attacks? Merlijn Tishauser (Jul 30)
- Re: SSH attacks? Tom Laermans (Jul 27)
- Re: SSH attacks? buzz (Jul 27)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Chris Brenton (Jul 29)
- Re: SSH attacks? Valdis . Kletnieks (Jul 30)
- Re: SSH attacks? Thomas Hochstein (Jul 30)
- Re: SSH attacks? Matt Beland (Jul 30)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jason Falciola (Jul 27)
- Re: SSH attacks? Paul Schmehl (Jul 27)
- Re: SSH attacks? brandy (Jul 28)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Marcus Merrin (Jul 29)
- Re: SSH attacks? Robin (Jul 30)
- Re: SSH attacks? Andrew J Caines (Jul 29)