|
Security Incidents
mailing list archives
Re: Scans for SSHd via RIPE netblocks, anyone?
From: daniel uriah clemens <dclemens () inline com>
Date: Mon, 22 Oct 2001 11:42:02 -0500 (CDT)
SecurityFocus hinted that they where looking for information
concerning the SSH CRC-32 Compensation Attack Detector Vulnerability
released on feb 8, earlier this year.
They then updated their database for the following entry.
snip from securityfocus>
Successful exploitation of this vulnerability is extremely dependent on
attacker knowledge of the target process memory layout. This
makes 'one-shot' exploitation difficult. With repeated attempts and the
widespread use of binary ssh packages, exploitation of this
vulnerability 'in the wild' is not inconcievable.
There have been reports suggesting that this may be occuring.
Since early september, independent, reliable sources have confirmed that
this vulnerability is being exploited by attackers on the
Internet. Security Focus does not currently have the exploit code being
used, however this record will be updated if and when it becomes
available.
NOTE: Cisco 11000 Content Service Switch family is vulnerable to this
issue. All WebNS releases prior, but excluding, versions: 4.01
B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable.
unsnip>
bugtraq id 2347
object ssh, sshd
class Boundary Condition Error
cve CAN-2001-0144
remote Yes
local No
published Feb 08, 2001
updated Oct 19, 2001
Hope this helps.
Simply,
Daniel Uriah Clemens
- dclemens () inline com
"The right to freedom being the gift of God Almighty, it is not in the
power of man to alienate this gift and voluntarily become a
slave." --Samuel Adams
On Sun, 21 Oct 2001, Jay D. Dyson wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hi folks,
No great shakes here, but I'm curious to know if anyone else is
seeing concerted SSHd scans coming from RIPE netblocks lately. I've noted
a few here and, while I considered them oddities at first, I'm starting to
wonder if someone (or something) across the Atlantic doesn't have the
much-ballyhoo'd "0day for sale."
I'm not bored enough to see what they're really up to (yet), so I
figured I'd just toss this out for general consideration.
Oh yeah, the latest scan came from 193.206.153.7.
- -Jay
( ( _______
)) )) .-"There's always time for a good cup of coffee."-. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) | = |-'
`--' `--' `- Peace without justice is life without living. -' `------'
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.
iQCVAwUBO9Jz97lDRyqRQ2a9AQHKbwP9EJcPFxXXWuPtOYRVYZmsIEPiomtwXDfu
xKTD01KsWH/dXGxs/h4kKd/QRzPGHnHreri59Sd9UBua+EV0VjzCzcR44Ne9k5ns
3FnP3TYrS1nVJ4q5cm4cawWNXRx3zo0loCbiYRT6Mbsp99y/Rju6Dy2OzA3VaYkH
kKz41A1aFKc=
=kGQe
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
