Re: Scans for SSHd via RIPE netblocks, anyone?

• Previous message: Joe Smith: "Slow FTP scan"
• In reply to:(deleted message) Jay D. Dyson: "Scans for SSHd via RIPE netblocks, anyone?"
• Next in thread: Fernando Cardoso: "RE: Scans for SSHd via RIPE netblocks, anyone?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 22 Oct 2001 11:42:02 -0500 (CDT)
From: daniel uriah clemens <dclemens@inline.com>
To: "Jay D. Dyson" <jdyson@treachery.net>
Subject: Re: Scans for SSHd via RIPE netblocks, anyone?
Message-ID: <Pine.BSF.4.21.0110221139120.72650-100000@ns1.inlinenet.net>

SecurityFocus hinted that they where looking for information
concerning the SSH CRC-32 Compensation Attack Detector Vulnerability
released on feb 8, earlier this year.

They then updated their database for the following entry.

>snip from securityfocus>
Successful exploitation of this vulnerability is extremely dependent on
attacker knowledge of the target process memory layout. This
makes 'one-shot' exploitation difficult. With repeated attempts and the
widespread use of binary ssh packages, exploitation of this
vulnerability 'in the wild' is not inconcievable.

There have been reports suggesting that this may be occuring.
Since early september, independent, reliable sources have confirmed that
this vulnerability is being exploited by attackers on the
Internet. Security Focus does not currently have the exploit code being
used, however this record will be updated if and when it becomes
available.

NOTE: Cisco 11000 Content Service Switch family is vulnerable to this
issue. All WebNS releases prior, but excluding, versions: 4.01
B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable.

>unsnip>

bugtraq id 2347
object ssh, sshd
class Boundary Condition Error
cve CAN-2001-0144

remote Yes
local No
published Feb 08, 2001
updated Oct 19, 2001

Hope this helps.

Simply,

Daniel Uriah Clemens

- dclemens@inline.com

"The right to freedom being the gift of God Almighty, it is not in the
power of man to alienate this gift and voluntarily become a
slave." --Samuel Adams

On Sun, 21 Oct 2001, Jay D. Dyson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hi folks,
>
> No great shakes here, but I'm curious to know if anyone else is
> seeing concerted SSHd scans coming from RIPE netblocks lately. I've noted
> a few here and, while I considered them oddities at first, I'm starting to
> wonder if someone (or something) across the Atlantic doesn't have the
> much-ballyhoo'd "0day for sale."
>
> I'm not bored enough to see what they're really up to (yet), so I
> figured I'd just toss this out for general consideration.
>
> Oh yeah, the latest scan came from 193.206.153.7.
>
> - -Jay
>
> ( ( _______
> )) )) .-"There's always time for a good cup of coffee."-. >====<--.
> C|~~|C|~~| (>------ Jay D. Dyson - jdyson@treachery.net ------<) | = |-'
> `--' `--' `- Peace without justice is life without living. -' `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iQCVAwUBO9Jz97lDRyqRQ2a9AQHKbwP9EJcPFxXXWuPtOYRVYZmsIEPiomtwXDfu
> xKTD01KsWH/dXGxs/h4kKd/QRzPGHnHreri59Sd9UBua+EV0VjzCzcR44Ne9k5ns
> 3FnP3TYrS1nVJ4q5cm4cawWNXRx3zo0loCbiYRT6Mbsp99y/Rju6Dy2OzA3VaYkH
> kKz41A1aFKc=
> =kGQe
> -----END PGP SIGNATURE-----
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Previous message: Joe Smith: "Slow FTP scan"
• In reply to:(deleted message) Jay D. Dyson: "Scans for SSHd via RIPE netblocks, anyone?"
• Next in thread: Fernando Cardoso: "RE: Scans for SSHd via RIPE netblocks, anyone?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Analysis of SSH crc32 compensation attack detector exploit ... Analysis of SSH crc32 compensation attack detector exploit ... detector vulnerability to remotely compromise a Red Hat Linux ... Active Internet connections (servers and established) ... (Incidents) Patching 4.4-RELEASE against SSHv1 exploit ... an SSH exploit has been specifically tuned to attack machines running ... FreeBSD 4.x and certain versions of SSH. ... >detector vulnerability to remotely compromise a Red Hat Linux ... >used against systems running OpenSSH 2.1.1 servers which suffer from ... (FreeBSD-Security) Re: Netscreen ssh v.1 vulnerable?? ... > attack detector vulnerability? ... If 'manage ssh' is enabled on the untrusted interface you ... This list is provided by the SecurityFocus Security Intelligence Alert ... For more information on SecurityFocus' SIA service which ... (Pen-Test) Re: Somebody is keep trying to ssh into my systems, how can I stop that? ... MITM attack would be a concern of the SSH user, not a port knocking user. ... While, on occasion, a vulnerability will be found in one or the other, it ... (comp.os.linux.security) SecurityFocus Microsoft Newsletter #196 ... SecurityFocus ... MPlayer GUI File Name Buffer Overflow Vulnerability ... Relevant URL: http://www.securityfocus.com/bid/10612 ... Netegrity IdentityMinder is a tool designed for the Microsoft Windows platform to manage and maintain users and user accounts. ... (Focus-Microsoft)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint