Full Disclosure mailing list archives
Re: [Fwd: Re: Re: Automated SSH login attempts?]
From: Kenneth Ng <kenneth.d.ng () gmail com>
Date: Fri, 30 Jul 2004 08:25:17 -0400
I get at least a couple of probes every day. Almost all are refused because I have a very restrictive /etc/hosts.allow list. On Fri, 30 Jul 2004 12:14:30 +0200, Stefan Janecek <stefan.janecek () jku at> wrote:
uuups - forgot to cc the list on this one. sorry. -----Forwarded Message----- From: Stefan Janecek <stefan.janecek () jku at> To: Valdis.Kletnieks () vt edu Subject: Re: [Full-disclosure] Re: Automated SSH login attempts? Date: Fri, 30 Jul 2004 11:45:51 +0200 On Thu, 2004-07-29 at 21:35, Valdis.Kletnieks () vt edu wrote:On Thu, 29 Jul 2004 18:38:15 +0200, Stefan Janecek <stefan.janecek () jku at> said:This does not seem to be a stupid brute force attack, as there is only one login attempt per user. Could it be that the tool tries to exploit some vulnerability in the sshd, and just tries to look harmless by using 'test' and 'guest' as usernames?Highly doubtful. It's easy enough to test though - just use the tool to poke another machine under your control, and use tcpdump or ethereal to capture all the traffic (don't forget '-s 1500' or similar for tcpdump to get the *whole* packet). Then somebody familiar with the SSH protocol can go through it byte by byte and look for anything odd. I don't expect we'll find anything, unless it's some very hard to trigger hole on some odd architecture. Remember - with all of these probes, we're only seeing a very few boxes actually get 0wned. More likely, script kiddies have re-discovered the concept that if there's 500 million boxes online, enough of them are administered by clueless people that they can snarf shells using a default userid/password pair.....This is exactly what I did. The tool tries to login as users 'test' and 'guest'. But I don't think it is about just snarfing passwords, because those users did not exist on the compromised machine - yet they got in. My personal feeling is (given their poor success) that they are using some old-fart ssh vulnerability. The compromised machine had an uptime of 254 days if I remember correctly, and was hardly used during this time, nor has it been updated. Still I would really like to know *exactly* what they are doing, just to make sure... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Fwd: Re: Re: Automated SSH login attempts?] Stefan Janecek (Jul 30)
- Re: [Fwd: Re: Re: Automated SSH login attempts?] Kenneth Ng (Jul 30)