Security Incidents mailing list archives
Re: SSH attacks?
From: Alexander Klimov <alserkli () inbox ru>
Date: Fri, 30 Jul 2004 00:10:56 +0400
I started to receive the probes on Jul 15. They are always test/guest pairs from the same ip. Since when I got probes from: 131.234.36.152, 129.16.145.3, 220.120.156.28, 140.130.211.13, 211.42.223.200 (.de,.se,.tw and two NXDOMAINs). All have ssh: SSH-1.99-OpenSSH_3.8.1p1, SSH-2.0-OpenSSH_3.1p1 x3, SSH-1.99-OpenSSH_3.5p1. Those pre 3.7.1 can be obviously rooted thru CA-2003-24, but AFAIK there are no exploits for 3.8.1p1 (BTW: OpenSSH 3.8.1p1 was released on Apr 19, 2004). Telnet on some of them shows that they have RHLinux 7.3 and 9. No obvious combinations of l/p (test/test, test/, test/password and the same with guest) seams to work, but it is possible that they were fixed after breakin. It could be that it is an ssh 0day: it is possible that an exploit works only with correct uid, but we do not get a lot of compromise reports so this version is not likely to be true. The second version that it is just a test for simple l/p is more likely because people who still use 3.1 and 3.5 are likely to have guest/guest, and they are most probably never notice/report the compromise (don't sure what about the box with 3.8.1)
Current thread:
- Re: SSH attacks?, (continued)
- Re: SSH attacks? Robin (Jul 30)
- RE: SSH attacks? Herman Frederick Ebeling Jr. (Jul 30)
- Re: SSH attacks? Brian C. Lane (Jul 30)
- Re: SSH attacks? Mike Whitley (Jul 29)
- Re: SSH attacks? David Block (Jul 29)
- Re: SSH attacks? Bulgaro (Jul 29)
- Re: SSH attacks? John Bossert (Jul 30)
- RE: SSH attacks? M Shirk (Jul 30)
- Re: SSH attacks? Valdis . Kletnieks (Jul 31)
- Re: SSH attacks? Skip Carter (Jul 30)
- Re: SSH attacks? Alexander Klimov (Jul 31)