Security Incidents mailing list archives
Re: SSH attacks?
From: Valdis.Kletnieks () vt edu
Date: Thu, 29 Jul 2004 13:02:39 -0400
On Wed, 28 Jul 2004 22:05:24 +0300, Jyri Hovila <jyri.hovila () iki fi> said:
Hi again! It seems that at least one host has been rooted somehow relating to the scans we're seeing: http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999~start=60 I'm pretty sure there is a new SSH exploit around. At least this clearly isn't a brute force attack.
I don't see anything at that URL to show that. In fact, it shows: ul 12 22:26:51 server sshd[12868]: Accepted password for test from 130.15.15.239 port 1954 ssh2 Jul 12 22:42:35 server sshd[13998]: Accepted password for test from 216.55.164.10 port 56454 ssh2 Which pretty much tells me that it's far more likely that they actually guessed the password to a badly secured userid than there is some SSH bug that make the password check succeed. If that post had anything like "The userid was disabled" or "The userid had a password that pam_cracklib allowed through", then I'd be more likely to think there was an exploit. Scan several hundred thousand Linux boxes, you're sure to find a few that are unpatched, or have stupid userids/passwords.... If there *WAS* an actual exploit, we'd be seeing more postings of "I got r00ted by something" and less "anybody know what this is trying to do?"...
Attachment:
_bin
Description:
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? Frank Knobbe (Jul 30)
- Re: SSH attacks? Jay D. Dyson (Jul 30)
- Re: SSH attacks? Frank Knobbe (Jul 31)
- Re: SSH attacks? mgotts (Jul 31)
- Re: SSH attacks? Steve Schuster (Jul 29)
- Re: SSH attacks? Merlijn Tishauser (Jul 30)
- Re: SSH attacks? Tom Laermans (Jul 27)
- Re: SSH attacks? buzz (Jul 27)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Chris Brenton (Jul 29)
- Re: SSH attacks? Valdis . Kletnieks (Jul 30)
- Re: SSH attacks? Thomas Hochstein (Jul 30)
- Re: SSH attacks? Matt Beland (Jul 30)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jason Falciola (Jul 27)
- Re: SSH attacks? Paul Schmehl (Jul 27)
- Re: SSH attacks? brandy (Jul 28)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Marcus Merrin (Jul 29)
- Re: SSH attacks? Robin (Jul 30)
- RE: SSH attacks? Herman Frederick Ebeling Jr. (Jul 30)
- Re: SSH attacks? Andrew J Caines (Jul 29)