Home page logo

basics logo Security Basics mailing list archives

SSH newkeys.
From: Paul Halliday <paul.halliday () gmail com>
Date: Fri, 11 Dec 2009 10:12:39 -0400

I had a host that was compromised over the weekend and I am still
scratching my head a bit on what went on.

Before the box was rooted there were a bunch of these:

46      2009-12-06 09:27:55.644224     22     36332   SSHv2   Server:
New Keys
47      2009-12-06 09:27:55.799383     36332     22      SSHv2   Client:
New Keys

These occurred about every 3-4 seconds. In total less than 500 of
these before another host swept in with the correct key.
There was no previous scans to this host and it was a relatively new install.

I have played with a couple different ssh scanners and I can't
duplicate this pattern.

I am reading: http://www.snailbook.com/docs/transport.txt between 7.3 and 8.

This isn't a user/password exchange.

Can anyone shed some light on what was going on?


Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.


  By Date           By Thread  

Current thread:
  • SSH newkeys. Paul Halliday (Dec 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]