Re: SSH attacks?

Valdis.Kletnieks_at_vt.edu
Date: 07/29/04

  • Next message: John Bossert: "Re: SSH attacks?"
    To: Jyri Hovila <jyri.hovila@iki.fi>
    Date: Thu, 29 Jul 2004 13:02:39 -0400
    
    
    

    On Wed, 28 Jul 2004 22:05:24 +0300, Jyri Hovila <jyri.hovila@iki.fi> said:
    > Hi again!
    >
    > It seems that at least one host has been rooted somehow relating to the
    > scans we're seeing:
    >
    > http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999~start=60
    >
    > I'm pretty sure there is a new SSH exploit around. At least this clearly
    > isn't a brute force attack.

    I don't see anything at that URL to show that. In fact, it shows:

    ul 12 22:26:51 server sshd[12868]: Accepted password for test from 130.15.15.239 port 1954 ssh2
    Jul 12 22:42:35 server sshd[13998]: Accepted password for test from 216.55.164.10 port 56454 ssh2

    Which pretty much tells me that it's far more likely that they actually
    guessed the password to a badly secured userid than there is some SSH
    bug that make the password check succeed.

    If that post had anything like "The userid was disabled" or "The userid
    had a password that pam_cracklib allowed through", then I'd be more likely
    to think there was an exploit.

    Scan several hundred thousand Linux boxes, you're sure to find a few that
    are unpatched, or have stupid userids/passwords....

    If there *WAS* an actual exploit, we'd be seeing more postings of "I got
    r00ted by something" and less "anybody know what this is trying to do?"...

    
    



  • Next message: John Bossert: "Re: SSH attacks?"

    Relevant Pages