Re: SSH attacks?
To: Jyri Hovila <email@example.com> Date: Thu, 29 Jul 2004 13:02:39 -0400
On Wed, 28 Jul 2004 22:05:24 +0300, Jyri Hovila <firstname.lastname@example.org> said:
> Hi again!
> It seems that at least one host has been rooted somehow relating to the
> scans we're seeing:
> I'm pretty sure there is a new SSH exploit around. At least this clearly
> isn't a brute force attack.
I don't see anything at that URL to show that. In fact, it shows:
ul 12 22:26:51 server sshd: Accepted password for test from 126.96.36.199 port 1954 ssh2
Jul 12 22:42:35 server sshd: Accepted password for test from 188.8.131.52 port 56454 ssh2
Which pretty much tells me that it's far more likely that they actually
guessed the password to a badly secured userid than there is some SSH
bug that make the password check succeed.
If that post had anything like "The userid was disabled" or "The userid
had a password that pam_cracklib allowed through", then I'd be more likely
to think there was an exploit.
Scan several hundred thousand Linux boxes, you're sure to find a few that
are unpatched, or have stupid userids/passwords....
If there *WAS* an actual exploit, we'd be seeing more postings of "I got
r00ted by something" and less "anybody know what this is trying to do?"...
- application/pgp-signature attachment: stored