| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200407291935.i6TJZhuT014178@turing-police.cc.vt.edu> From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Re: Automated SSH login attempts? On Thu, 29 Jul 2004 18:38:15 +0200, Stefan Janecek <stefan.janecek@....at> said: > > This does not seem to be a stupid brute force attack, as there is only > one login attempt per user. Could it be that the tool tries to exploit > some vulnerability in the sshd, and just tries to look harmless by using > 'test' and 'guest' as usernames? Highly doubtful. It's easy enough to test though - just use the tool to poke another machine under your control, and use tcpdump or ethereal to capture all the traffic (don't forget '-s 1500' or similar for tcpdump to get the *whole* packet). Then somebody familiar with the SSH protocol can go through it byte by byte and look for anything odd. I don't expect we'll find anything, unless it's some very hard to trigger hole on some odd architecture. Remember - with all of these probes, we're only seeing a very few boxes actually get 0wned. More likely, script kiddies have re-discovered the concept that if there's 500 million boxes online, enough of them are administered by clueless people that they can snarf shells using a default userid/password pair..... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040729/e2d4f868/attachment.bin
Powered by blists - more mailing lists