Re: MASSIVE ssh attack attempt

[core.lists.incidents () CORE-SDI COM (Iván Arce)]

"Jeffrey D. Carter" wrote:
> Automatic digest processor <LISTSERV () lists securityfocus com>  writes:
> > -------------------------------------------------------------------------<
> | Date:    Fri, 18 Feb 2000 15:15:03 -0800
> | From:    Robert Graham <Robert.Graham () NETWORKICE COM>
> | Subject: Re: MASSIVE ssh attack attempt
> |
> | PCanywhere uses UDP/22 rather than TCP/22.
> |
> | http://www.robertgraham.com/pubs/firewall-seen.html#port22
> |
> | My guess this is just a massive sacan for the recent RSAREF bug.
> |
> | Rob.
> > -------------------------------------------------------------------------<
>
> Since the targets appear to all be the same machine, it doesn't seem likely
> that this would be looking for the RSAREF problem. After all, if the
> first connect doesn't compromise the host, 2 through N won't either.

Thats not quite correct.
The publicly available ssh/RSAREF exploit client has an command line
option to use an user provided range of addresses to sweep to 
find the right offset.
-ivan

-- 
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

==================[ CORE Seguridad de la Informacion S.A. ]=========
Iván Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email: iarce () core-sdi com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================

--- For a personal reply use iarce () core-sdi com