Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Fwd: Re: [Full-Disclosure] Re: Automated SSH login attempts?]

from [Kenneth Ng] Network Security [Permanent Link]
Subject: Re: [Fwd: Re: [Full-Disclosure] Re: Automated SSH login attempts?]
Date: Fri, 30 Jul 2004 08:25:17 -0400 
I get at least a couple of probes every day.  Almost all are refused
because I have a very restrictive /etc/hosts.allow list.

On Fri, 30 Jul 2004 12:14:30 +0200, Stefan Janecek
<stefan.janecek@jku.at> wrote:

uuups - forgot to cc the list on this one. sorry.
-----Forwarded Message-----
From: Stefan Janecek <stefan.janecek@jku.at>
To: Valdis.Kletnieks@vt.edu
Subject: Re: [Full-Disclosure] Re: Automated SSH login attempts?
Date: Fri, 30 Jul 2004 11:45:51 +0200
On Thu, 2004-07-29 at 21:35, Valdis.Kletnieks@vt.edu wrote:

On Thu, 29 Jul 2004 18:38:15 +0200, Stefan Janecek <stefan.janecek@jku.at>  
said:


This does not seem to be a stupid brute force attack, as there is only
one login attempt per user. Could it be that the tool tries to exploit
some vulnerability in the sshd, and just tries to look harmless by using
'test' and 'guest' as usernames?


Highly doubtful.  It's easy enough to test though - just use the tool
to poke another machine under your control, and use tcpdump or ethereal
to capture all the traffic (don't forget '-s 1500' or similar for tcpdump
to get the *whole* packet).  Then somebody familiar with the SSH
protocol can go through it byte by byte and look for anything odd.

I don't expect we'll find anything, unless it's some very hard to trigger 
hole
on some odd architecture. Remember - with all of these probes, we're only
seeing a very few boxes actually get 0wned. More likely, script kiddies have
re-discovered the concept that if there's 500 million boxes online, enough 
of
them are administered by clueless people that they can snarf shells using a
default userid/password pair.....




This is exactly what I did. The tool tries to login as users 'test' and
'guest'. But I don't think it is about just snarfing passwords, because
those users did not exist on the compromised machine - yet they got in.

My personal feeling is (given their poor success) that they are using
some old-fart ssh vulnerability. The compromised machine had an uptime
of 254 days if I remember correctly, and was hardly used during this
time, nor has it been updated. Still I would really like to know
*exactly* what they are doing, just to make sure...




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [Full-Disclosure] CHX-I, Clement Dupuis
Next by Date:  RE: [Full-Disclosure] Automated SSH login attempts?, Todd Towles
Previous by Thread:  [Fwd: Re: [Full-Disclosure] Re: Automated SSH login attempts?], Stefan Janecek
Next by Thread:  [Full-Disclosure] [VSA0402] OpenFTPD format string vulnerability, VOID.AT Security
Indexes:  [Date] [Thread] [Top] [All Lists]