Re: SSH attacks?

From: Chris Brenton (
Date: 07/29/04

  • Next message: Jyri Hovila: "Re: SSH attacks?"
    To: Jyri Hovila <>
    Date: Thu, 29 Jul 2004 15:03:21 -0400

    On Wed, 2004-07-28 at 15:05, Jyri Hovila wrote:
    > It seems that at least one host has been rooted somehow relating to the
    > scans we're seeing:

    More than just one. I'm willing to bet every source IP that hits you was
    compromised the same way.

    One interesting tid bit I've noticed is that every source IP I've
    checked had SQL listening. Not sure if its related or a coincidence.

    > I'm pretty sure there is a new SSH exploit around. At least this clearly
    > isn't a brute force attack.

    I guess I don't see how you are drawing that conclusion. To quote from
    the link you provided above:

    Jul 12 22:26:51 server sshd[12868]: Accepted password for test from port 1954 ssh2
    Jul 12 22:42:35 server sshd[13998]: Accepted password for test from port 56454 ssh2

    IMHO this *is not* an exploit, but rather a connection due to a poor
    password policy for the user "test" (in other words, this is classic
    brute force). You could be running an outdated SSH version, use good
    passwords, and be totally safe from this type of attack (not that I'm
    advocating running outdated software, just trying to make a point).

    > As we are seeing lots of scans, but only few
    > rooted hosts, it really doesn't look like a worm either. Someone seems
    > to be scanning for vulnerable SSH daemons, obviously using previously
    > rooted hosts, and then roots vulnerable hosts of his/her choice
    > manually.

    Based on the info I've seen, I believe the brute force portion is
    automated while the actual toolkit install and "rooting" is being done
    manually. It looks too much like a newbie fumbling around.

    > As I wrote in my previous message, I think it's a good choise to limit
    > access to SSH until this issue is solved.

    Always a good idea, but if it was me I would grab a copy of John The
    Ripper, the passwd & shadow files, and ensure you are using decent
    password on all of your accounts.


  • Next message: Jyri Hovila: "Re: SSH attacks?"