Jyri Hovila said:
> I'm pretty sure there is a new SSH exploit around. At least this clearly
> isn't a brute force attack. As we are seeing lots of scans, but only few
> rooted hosts, it really doesn't look like a worm either. Someone seems
> to be scanning for vulnerable SSH daemons, obviously using previously
> rooted hosts, and then roots vulnerable hosts of his/her choice
> manually.

I think you're jumping to a conclusion here that the facts don't fully
support.

1. The pattern of scans suggests at least an automated system, though not
a fully autonomous worm; as you suggest, perhaps an automated scanner with
manual follow-up on vulnerable hosts.

2. The (apparent) extremely low level of successful penetrations suggests
that the attackers are simply searching for poorly secured systems, not an
actual vulnerability in SSH. If I walk down a street checking all the
doors on all the houses, and find two that were left unlocked, that
doesn't mean all doors are vulnerable.

3. The apparent manual nature of the system compromises, in fact, suggests
even more strongly that there *is* no OpenSSH vulnerability. If there
were, the scum who found it would be more likely to automate the
compromise and release it than simply use it selectively on hosts *after*
attracting everyone's attention with an automated scan like this.

> As I wrote in my previous message, I think it's a good choise to limit
> access to SSH until this issue is solved.

Add a full stop after SSH, and delete the rest of the statement, and I'll
agree with you.

--
Matt Beland
matt (at) rearviewmirror (dot) org [email concealed]
http://www.rearviewmirror.org

[ reply ]