Re: SSH bruteforce on its way...

From: Justin (justinvinn_at_gmail.com)
Date: 10/26/05

  • Next message: David Gillett: "SNMP worm?" 
    Date: Wed, 26 Oct 2005 13:38:55 -0400
To: Russell Fulton <r.fulton@auckland.ac.nz>

    Russell,

    I know that someone has already provided you with some info, but here
    is some more:

    http://www.milw0rm.com/id.php?id=26

    Thats the gossh.sh exploit. while it is not that reliable, it is a PoC.

    http://www.securityfocus.com/bid/11781/discuss

    Thats a PAM weakness (another timing attack) that enabled remote
    attackers to discover valid usernames.

    http://www.securityfocus.com/bid/7467

    Thats another PAM weakness. Its the securityfocus BID for the gossh.sh exploit.

    http://www.securityfocus.com/bid/7482

    Thats a timing attack that may allow a remote attacker to guess the
    root/administrative password.

    A simple google search like the one posted previously will turn up more info.

    peace,
    --Justin
    On 10/24/05, Russell Fulton <r.fulton@auckland.ac.nz> wrote:
    >
    >
    > Justin wrote:
    > > Jouser,
    > >
    > > Nah, there were some exploits a while back that took advanteage in
    > > some timing flaws in the SSHd that let attackers determin valid
    > > usernames.
    > Would you please provide some supporting references. I can not find any
    > evidence of existing timing attacks against openssh. In fact Openssh
    > goes to some trouble to defeat such attacks.
    >
    > While on this thread, one effective counter measure against brute force
    > password attacks is to use decent passwords which everyone should be
    > doing anyway. We have lost about 3 systems here to ssh brute force
    > attacks and in all cases the systems were in serious breach of our
    > policies (which are not particularly draconian).
    >
    > In one case I did feel a bit sorry for the victims, they had installed a
    > third party package that created an account with an insecure password
    > and they never noticed. A good case for simple monitoring script like
    > the one that is run nightly on OBSD system that warns you about changes
    > in critical files.
    >
    > Russell.
    >
    > >
    > > peace,
    > > --Justin
    > >
    > > On 21 Oct 2005 18:05:27 -0000, jouser@gmail.com <jouser@gmail.com> wrote:
    > >
    > >>I didn't think it was possible to determine valid usernames by themselves? You either have a valid username AND password or not.
    > >>
    >

  • Next message: David Gillett: "SNMP worm?"

    Relevant Pages

    • Re: Grade A whining
      ... the AB's we would see attacks in all papers, the NZ parliament, church ... thats where the ref helped the convicts. ...
      (rec.sport.rugby.union)
    • Re: GARY STUBBS IGGY AND MED.BUFFALO
      ... your enjoyment of the attacks and slanders against me ... thats right they DIDNT ...
      (alt.gathering.rainbow)
    • Re: Advice - Attacks logged by Sygate
      ... > My log file shows the attacks listed below. ... > I am concerned that Sygate only blocks these attacks for 600 seconds. ... Thats 10-minutes. ...
      (comp.security.firewalls)
    • Re: How fast computers have made ciphers unbreakable
      ... type of brute force, not even the NSA. ... attacks (and attacks requiring 2^64 bytes of chosen plaintext are not ... Backdoors might help, but even backdoors are hard to include in ... computers become faster and faster and practical attacks move further ...
      (sci.crypt)
    • Re: passw0rd trial limit
      ... he/she can only login for aboout 2 hours later ... configuration)--then brute force the logins. ... As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. ... You have an option to go with a managed service or an enterprise software. ...
      (Pen-Test)