Security Incidents mailing list archives

Re: SSH attacks?

From: Alexander Klimov <alserkli () inbox ru>
Date: Fri, 30 Jul 2004 00:10:56 +0400

I started to receive the probes on Jul 15. They are always test/guest pairs from the same ip. Since when I got probes 
from: 131.234.36.152, 129.16.145.3, 220.120.156.28, 140.130.211.13, 211.42.223.200 (.de,.se,.tw and two NXDOMAINs). All 
have ssh: SSH-1.99-OpenSSH_3.8.1p1, SSH-2.0-OpenSSH_3.1p1 x3, SSH-1.99-OpenSSH_3.5p1. Those pre 3.7.1 can be obviously 
rooted thru CA-2003-24, but AFAIK there are no exploits for 3.8.1p1 (BTW: OpenSSH 3.8.1p1 was released on Apr 19, 
2004). Telnet on some of them shows that they have RHLinux 7.3 and 9. No obvious combinations of l/p (test/test, test/, 
test/password and the same with guest) seams to work, but it is possible that they were fixed after breakin. 

It could be that it is an ssh 0day: it is possible that an exploit works only with correct uid, but we do not get a lot 
of compromise reports so this version is not likely to be true. The second version that it is just a test for simple 
l/p is more likely because people who still use 3.1 and 3.5 are likely to have guest/guest, and they are most probably 
never notice/report the compromise (don't sure what about the box with 3.8.1)

Current thread:

Re: SSH attacks?, (continued)
- - - Re: SSH attacks? Robin (Jul 30)
    - RE: SSH attacks? Herman Frederick Ebeling Jr. (Jul 30)
    - Re: SSH attacks? Brian C. Lane (Jul 30)
  - Re: SSH attacks? Mike Whitley (Jul 29)
- Re: SSH attacks? David Block (Jul 29)
- Re: SSH attacks? Bulgaro (Jul 29)
  - Re: SSH attacks? John Bossert (Jul 30)
- RE: SSH attacks? M Shirk (Jul 30)
  - Re: SSH attacks? Valdis . Kletnieks (Jul 31)
- Re: SSH attacks? Skip Carter (Jul 30)
- Re: SSH attacks? Alexander Klimov (Jul 31)