Security Incidents mailing list archives
Re: SSH attacks?
From: "Matt Beland" <matt () rearviewmirror org>
Date: Thu, 29 Jul 2004 10:03:12 -0700 (PDT)
Jyri Hovila said:
I'm pretty sure there is a new SSH exploit around. At least this clearly isn't a brute force attack. As we are seeing lots of scans, but only few rooted hosts, it really doesn't look like a worm either. Someone seems to be scanning for vulnerable SSH daemons, obviously using previously rooted hosts, and then roots vulnerable hosts of his/her choice manually.
I think you're jumping to a conclusion here that the facts don't fully support. 1. The pattern of scans suggests at least an automated system, though not a fully autonomous worm; as you suggest, perhaps an automated scanner with manual follow-up on vulnerable hosts. 2. The (apparent) extremely low level of successful penetrations suggests that the attackers are simply searching for poorly secured systems, not an actual vulnerability in SSH. If I walk down a street checking all the doors on all the houses, and find two that were left unlocked, that doesn't mean all doors are vulnerable. 3. The apparent manual nature of the system compromises, in fact, suggests even more strongly that there *is* no OpenSSH vulnerability. If there were, the scum who found it would be more likely to automate the compromise and release it than simply use it selectively on hosts *after* attracting everyone's attention with an automated scan like this.
As I wrote in my previous message, I think it's a good choise to limit access to SSH until this issue is solved.
Add a full stop after SSH, and delete the rest of the statement, and I'll agree with you. -- Matt Beland matt () rearviewmirror org http://www.rearviewmirror.org
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? Frank Knobbe (Jul 31)
- Re: SSH attacks? mgotts (Jul 31)
- Re: SSH attacks? Steve Schuster (Jul 29)
- Re: SSH attacks? Merlijn Tishauser (Jul 30)
- Re: SSH attacks? Tom Laermans (Jul 27)
- Re: SSH attacks? buzz (Jul 27)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Chris Brenton (Jul 29)
- Re: SSH attacks? Valdis . Kletnieks (Jul 30)
- Re: SSH attacks? Thomas Hochstein (Jul 30)
- Re: SSH attacks? Matt Beland (Jul 30)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jyri Hovila (Jul 29)
- Re: SSH attacks? Jason Falciola (Jul 27)
- Re: SSH attacks? Paul Schmehl (Jul 27)
- Re: SSH attacks? brandy (Jul 28)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Marcus Merrin (Jul 29)
- Re: SSH attacks? Robin (Jul 30)
- RE: SSH attacks? Herman Frederick Ebeling Jr. (Jul 30)
- Re: SSH attacks? Brian C. Lane (Jul 30)
- Re: SSH attacks? Andrew J Caines (Jul 29)
- Re: SSH attacks? Mike Whitley (Jul 29)