Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Automated SSH login attempts?
From: Valdis.Kletnieks () vt edu
Date: Thu, 29 Jul 2004 15:35:43 -0400

On Thu, 29 Jul 2004 18:38:15 +0200, Stefan Janecek <stefan.janecek () jku at>  said:

This does not seem to be a stupid brute force attack, as there is only
one login attempt per user. Could it be that the tool tries to exploit
some vulnerability in the sshd, and just tries to look harmless by using
'test' and 'guest' as usernames?

Highly doubtful.  It's easy enough to test though - just use the tool
to poke another machine under your control, and use tcpdump or ethereal
to capture all the traffic (don't forget '-s 1500' or similar for tcpdump
to get the *whole* packet).  Then somebody familiar with the SSH
protocol can go through it byte by byte and look for anything odd.

I don't expect we'll find anything, unless it's some very hard to trigger hole
on some odd architecture. Remember - with all of these probes, we're only
seeing a very few boxes actually get 0wned. More likely, script kiddies have
re-discovered the concept that if there's 500 million boxes online, enough of
them are administered by clueless people that they can snarf shells using a
default userid/password pair.....

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]