[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] SSH login attempts: tcpdump packet capture

To: <openssh-unix-dev@xxxxxxxxxxx>, <secureshell@xxxxxxxxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxx>, <vulnwatch@xxxxxxxxxxxxx>
Subject: [Full-Disclosure] SSH login attempts: tcpdump packet capture
From: "Jay Libove" <libove@xxxxxxxxxxx>
Date: Sun, 1 Aug 2004 14:03:39 -0400

I got a packet capture of one of the SSH2 sessions trying to log in as a
couple of illegal usernames.  The contents of one packet suggests an
attempt to buffer overflow the SSH server;  ethereal's SSH decoding says
"overly large value".

It didn't seem to work against my system (I see no strange processes
running; all files changed in past ten days look normal).

I am cross-posting this message and the attached tcpdump packet capture
file to the following places to let better people than I analyze it:
        openssh-unix-dev@xxxxxxxxxxx
        secureshell@xxxxxxxxxxxxxxxxx
        full-disclosure@xxxxxxxxxxxxxxxx
        vulnwatch@xxxxxxxxxxxxx

-Jay Libove, CISSP

Attachment: ssh2.tcpdump
Description: ssh2.tcpdump

Prev by Date: Re: [Full-Disclosure] Stateful Packet Inspection
Next by Date: Re: [Full-Disclosure] 0xdefaced[6]
Previous by thread: Re: [Full-Disclosure] Stateful Packet Inspection
Next by thread: [Full-Disclosure] Benchmark Designs' WHM Autopilot backdoor vulnerability to plain-text password.
Index(es):
- Date
- Thread