Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Brain dead SSH scans from Italy
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Sat, 29 Oct 2005 17:17:22 +1300

Etaoin Shrdlu wrote:

Thanks to whomever finally got through, however you did it. I had actually
allowed one host to start responding, and it had gotten to the part I
always least understand, i.e. the tries for root's password. I mean,
really, are there that many hosts out there with root accounts that can be
guessed with an automated password guesser?  ...

Define "that many"...

It's not about the total number -- it's simply about the fact that 
there really are some, and we know that here some == quite a few more 
than one.  Better to think of it in terms of a proportion though,   
then allow that the law of large numbers kicks in _on both the 
attackers' and victims' sides of the equation_.  If the potential 
attackers can run their probes from a botnet then they reduce their own 
workload significantly are not even risking discovery or any real 
"loss" if they tracked/shut-down as it is all but guaranteed that all 
they will lose is a bot or two in the odd case where someone will care 
enough to try to track down "the attacker".  And if the available 
victims are, say 0.00015% of all machines, scanning a few million 
machines gets you plenty more new victims.

And that's not even considering that some machines may be more 
worthwhile cracking than others...


Nick FitzGerald

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]