Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Automated SSH login attempts?
From: Stefan Janecek <stefan.janecek () jku at>
Date: Fri, 30 Jul 2004 11:38:53 +0200

On Thu, 2004-07-29 at 19:52, dmargoli () stwing org wrote:
Stefan Janecek wrote:

This does not seem to be a stupid brute force attack, as there is only
one login attempt per user. Could it be that the tool tries to exploit
some vulnerability in the sshd, and just tries to look harmless by using
'test' and 'guest' as usernames?

The compromised machine was running an old debian woody installation
which had not been upgraded for at least one year, the sshd version
string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'

Does the Debian machine that was compromised have a ``test'' or 
``guest'' username?


Also, if it wasn't patched in a year, it may still be vulnerable to 
this: http://www.cert.org/advisories/CA-2003-24.html

Thanks, I'll have a look at it.

I would tend to think this isn't a 0day kinda vuln, as if it were, he'd 
be a lot more successful than he seems (unless we're all rooted and 
don't even know it). But who can tell?

Yes, agreed - I am also convinced it must be something old, and
shouldn't be dangerous for reasonably administered machines.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]