[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Automated SSH login attempts?

To: Stefan Janecek <stefan.janecek@xxxxxx>
Subject: Re: [Full-Disclosure] Re: Automated SSH login attempts?
From: dmargoli@xxxxxxxxxx
Date: Thu, 29 Jul 2004 13:52:29 -0400

Stefan Janecek wrote:

This does not seem to be a stupid brute force attack, as there is only
one login attempt per user. Could it be that the tool tries to exploit
some vulnerability in the sshd, and just tries to look harmless by using
'test' and 'guest' as usernames?

The compromised machine was running an old debian woody installation
which had not been upgraded for at least one year, the sshd version
string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'

Does the Debian machine that was compromised have a ``test'' or ``guest'' username?

Also, if it wasn't patched in a year, it may still be vulnerable to this: http://www.cert.org/advisories/CA-2003-24.html

I would tend to think this isn't a 0day kinda vuln, as if it were, he'd be a lot more successful than he seems (unless we're all rooted and don't even know it). But who can tell?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Re: Automated SSH login attempts?
  - From: Stefan Janecek

References:
- [Full-Disclosure] Re: Automated SSH login attempts?
  - From: Stefan Janecek

Prev by Date: [Full-Disclosure] Re: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple Vulnerabilities in Sendmail
Next by Date: Re: [Full-Disclosure] Crash IE with 11 bytes ;)
Previous by thread: Re: [Full-Disclosure] Re: Automated SSH login attempts?
Next by thread: Re: [Full-Disclosure] Re: Automated SSH login attempts?
Index(es):
- Date
- Thread