Re: SSH attacks?
Date: 07/29/04

  • Next message: John Bossert: "Re: SSH attacks?"
    To: Jyri Hovila <>
    Date: Thu, 29 Jul 2004 13:02:39 -0400

    On Wed, 28 Jul 2004 22:05:24 +0300, Jyri Hovila <> said:
    > Hi again!
    > It seems that at least one host has been rooted somehow relating to the
    > scans we're seeing:
    > I'm pretty sure there is a new SSH exploit around. At least this clearly
    > isn't a brute force attack.

    I don't see anything at that URL to show that. In fact, it shows:

    ul 12 22:26:51 server sshd[12868]: Accepted password for test from port 1954 ssh2
    Jul 12 22:42:35 server sshd[13998]: Accepted password for test from port 56454 ssh2

    Which pretty much tells me that it's far more likely that they actually
    guessed the password to a badly secured userid than there is some SSH
    bug that make the password check succeed.

    If that post had anything like "The userid was disabled" or "The userid
    had a password that pam_cracklib allowed through", then I'd be more likely
    to think there was an exploit.

    Scan several hundred thousand Linux boxes, you're sure to find a few that
    are unpatched, or have stupid userids/passwords....

    If there *WAS* an actual exploit, we'd be seeing more postings of "I got
    r00ted by something" and less "anybody know what this is trying to do?"...


  • Next message: John Bossert: "Re: SSH attacks?"