Re: [Full-Disclosure] Re: Automated SSH login attempts?

Valdis.Kletnieks_at_vt.edu
Date: 07/29/04

  • Next message: Max Valdez: "Re: [Full-Disclosure] Re: Automated SSH login attempts?" 
    To: Stefan Janecek <stefan.janecek@jku.at>
Date: Thu, 29 Jul 2004 15:35:43 -0400

    On Thu, 29 Jul 2004 18:38:15 +0200, Stefan Janecek <stefan.janecek@jku.at> said:
    >
    > This does not seem to be a stupid brute force attack, as there is only
    > one login attempt per user. Could it be that the tool tries to exploit
    > some vulnerability in the sshd, and just tries to look harmless by using
    > 'test' and 'guest' as usernames?

    Highly doubtful. It's easy enough to test though - just use the tool
    to poke another machine under your control, and use tcpdump or ethereal
    to capture all the traffic (don't forget '-s 1500' or similar for tcpdump
    to get the *whole* packet). Then somebody familiar with the SSH
    protocol can go through it byte by byte and look for anything odd.

    I don't expect we'll find anything, unless it's some very hard to trigger hole
    on some odd architecture. Remember - with all of these probes, we're only
    seeing a very few boxes actually get 0wned. More likely, script kiddies have
    re-discovered the concept that if there's 500 million boxes online, enough of
    them are administered by clueless people that they can snarf shells using a
    default userid/password pair.....

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Max Valdez: "Re: [Full-Disclosure] Re: Automated SSH login attempts?"