Re: Scans for SSHd via RIPE netblocks, anyone?

From: daniel uriah clemens (dclemensat_private)
Date: Mon Oct 22 2001 - 09:42:02 PDT

  • Next message: Alexander Bochmann: "Re: "Worm" behavior -- port 80 honey pots"

    SecurityFocus hinted that they where looking for information
    concerning the SSH CRC-32 Compensation Attack Detector Vulnerability
    released on feb 8, earlier this year.
    
    They then updated their database for the following entry.
    
    >snip from securityfocus>
    Successful exploitation of this vulnerability is extremely dependent on
    attacker knowledge of the target process memory layout. This
    makes 'one-shot' exploitation difficult. With repeated attempts and the
    widespread use of binary ssh packages, exploitation of this
    vulnerability 'in the wild' is not inconcievable.
    
    There have been reports suggesting that this may be occuring.
    Since early september, independent, reliable sources have confirmed that
    this vulnerability is being exploited by attackers on the
    Internet. Security Focus does not currently have the exploit code being
    used, however this record will be updated if and when it becomes
    available.
    
    NOTE: Cisco 11000 Content Service Switch family is vulnerable to this
    issue. All WebNS releases prior, but excluding, versions: 4.01
    B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable.
    
    >unsnip>
    
    bugtraq id 2347
    object ssh, sshd
    class Boundary Condition Error
    cve CAN-2001-0144
    
    remote Yes
    local No
    published Feb 08, 2001
    updated Oct 19, 2001  
    
    Hope this helps.
    
    
    Simply,
    
    Daniel Uriah Clemens
    
    - dclemensat_private
    
    "The right to freedom being the gift of God Almighty, it is not in the
    power of man to alienate this gift and voluntarily become a
    slave." --Samuel Adams
    
    
    
    On Sun, 21 Oct 2001, Jay D. Dyson wrote:
    
    > -----BEGIN PGP SIGNED MESSAGE-----
    > 
    > Hi folks,
    > 
    > 	No great shakes here, but I'm curious to know if anyone else is
    > seeing concerted SSHd scans coming from RIPE netblocks lately.  I've noted
    > a few here and, while I considered them oddities at first, I'm starting to
    > wonder if someone (or something) across the Atlantic doesn't have the
    > much-ballyhoo'd "0day for sale."
    > 
    > 	I'm not bored enough to see what they're really up to (yet), so I
    > figured I'd just toss this out for general consideration.
    > 
    > 	Oh yeah, the latest scan came from 193.206.153.7.
    > 
    > - -Jay
    > 
    >   (    (                                                         _______
    >   ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
    > C|~~|C|~~| (>------ Jay D. Dyson - jdysonat_private ------<) |    = |-'
    >  `--' `--'  `- Peace without justice is life without living. -'  `------'
    > 
    > -----BEGIN PGP SIGNATURE-----
    > Version: 2.6.2
    > Comment: See http://www.treachery.net/~jdyson/ for current keys.
    > 
    > iQCVAwUBO9Jz97lDRyqRQ2a9AQHKbwP9EJcPFxXXWuPtOYRVYZmsIEPiomtwXDfu
    > xKTD01KsWH/dXGxs/h4kKd/QRzPGHnHreri59Sd9UBua+EV0VjzCzcR44Ne9k5ns
    > 3FnP3TYrS1nVJ4q5cm4cawWNXRx3zo0loCbiYRT6Mbsp99y/Rju6Dy2OzA3VaYkH
    > kKz41A1aFKc=
    > =kGQe
    > -----END PGP SIGNATURE-----
    > 
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    > 
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 09:55:50 PDT