Re: SSH attacks?
Valdis.Kletnieks_at_vt.edu
Date: 07/29/04
- Previous message: Marcus Merrin: "Re: SSH attacks?"
- In reply to: Jyri Hovila: "Re: SSH attacks?"
- Next in thread: Thomas Hochstein: "Re: SSH attacks?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Jyri Hovila <jyri.hovila@iki.fi> Date: Thu, 29 Jul 2004 13:02:39 -0400
On Wed, 28 Jul 2004 22:05:24 +0300, Jyri Hovila <jyri.hovila@iki.fi> said:
> Hi again!
>
> It seems that at least one host has been rooted somehow relating to the
> scans we're seeing:
>
> http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999~start=60
>
> I'm pretty sure there is a new SSH exploit around. At least this clearly
> isn't a brute force attack.
I don't see anything at that URL to show that. In fact, it shows:
ul 12 22:26:51 server sshd[12868]: Accepted password for test from 130.15.15.239 port 1954 ssh2
Jul 12 22:42:35 server sshd[13998]: Accepted password for test from 216.55.164.10 port 56454 ssh2
Which pretty much tells me that it's far more likely that they actually
guessed the password to a badly secured userid than there is some SSH
bug that make the password check succeed.
If that post had anything like "The userid was disabled" or "The userid
had a password that pam_cracklib allowed through", then I'd be more likely
to think there was an exploit.
Scan several hundred thousand Linux boxes, you're sure to find a few that
are unpatched, or have stupid userids/passwords....
If there *WAS* an actual exploit, we'd be seeing more postings of "I got
r00ted by something" and less "anybody know what this is trying to do?"...
- application/pgp-signature attachment: stored
- Previous message: Marcus Merrin: "Re: SSH attacks?"
- In reply to: Jyri Hovila: "Re: SSH attacks?"
- Next in thread: Thomas Hochstein: "Re: SSH attacks?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
