Re: SSH attacks?

[Valdis.Kletnieks () vt edu]

On Wed, 28 Jul 2004 22:05:24 +0300, Jyri Hovila <jyri.hovila () iki fi>  said:
> Hi again!
>
> It seems that at least one host has been rooted somehow relating to the
> scans we're seeing:
>
> http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999~start=60
>
> I'm pretty sure there is a new SSH exploit around. At least this clearly
> isn't a brute force attack.

I don't see anything at that URL to show that.  In fact, it shows:

ul 12 22:26:51 server sshd[12868]: Accepted password for test from 130.15.15.239 port 1954 ssh2
Jul 12 22:42:35 server sshd[13998]: Accepted password for test from 216.55.164.10 port 56454 ssh2

Which pretty much tells me that it's far more likely that they actually
guessed the password to a badly secured userid than there is some SSH
bug that make the password check succeed.

If that post had anything like "The userid was disabled" or "The userid
had a password that pam_cracklib allowed through", then I'd be more likely
to think there was an exploit.

Scan several hundred thousand Linux boxes, you're sure to find a few that
are unpatched, or have stupid userids/passwords....

If there *WAS* an actual exploit, we'd be seeing more postings of "I got
r00ted by something" and less "anybody know what this is trying to do?"...

Attachment: _bin
Description: