|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[VulnDiscuss] RE: [VulnWatch] SSH login attempts: tcpdump packet capture
From: Andrew Sledge (asledge
gpc.edu)
Date: Mon Aug 02 2004 - 09:59:21 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I think that there may be some folks out there doing this. I have seen a
thread (http://www.dslreports.com/forum/remark,10854834~mode=flat) about
this. Its coming from a couple of TLDs from Europe and Asia and doesn't
seem to be threatening as long as you have the box locked down properly.
Sledge
-----Original Message-----
From: Jay Libove [mailto:libovefelines.org]
Sent: Sunday, August 01, 2004 1:15 PM
To: vulnwatchvulnwatch.org
Subject: [VulnWatch] SSH login attempts: tcpdump packet capture
I got a packet capture of one of the SSH2 sessions trying to log in as a
couple of illegal usernames. The contents of one packet suggests an
attempt to buffer overflow the SSH server; ethereal's SSH decoding says
"overly large value".
It didn't seem to work against my system (I see no strange processes
running; all files changed in past ten days look normal).
I am cross-posting this message and the attached tcpdump packet capture
file to the following places to let better people than I analyze it:
openssh-unix-devmindrot.org
secureshellsecurityfocus.com
full-disclosurelists.netsys.com
vulnwatchvulnwatch.org
-Jay Libove, CISSP
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]