[Intrusions] FW: SSH Brute forcers
C.J. Steele, CISSP
coreyjsteele at yahoo.com
Fri Jun 10 19:23:05 GMT 2005
Thanks.
the development version of tattle incorporates this, actually... I had
gotten the suggestion from someone on the bugtraq list today, so I
began looking at it. Its a good idea. I'm actually going to use both
my whois method (which will be modified to use Net-Whois-IP using
reverse-lookups of the hostname.)
I hope to have a new version available by Monday (Its looking like a
busy weekend for me with family stuff, so I can't promise that.)
Cheers,
-C
--- kenneth gf brown <ken at shadowplay.net> wrote:
>
>
> sorry... I havent seen this pop across the intrusions list....
> so im sending it to you direct hope you don't mind.
>
> > -----Original Message-----
> > From: kenneth gf brown [mailto:ken at shadowplay.net]
> > Sent: June 9, 2005 18:12
> > To: 'Intrusions List (GCIA Practicals)'
> > Subject: RE: [Intrusions] SSH Brute forcers
> > Importance: High
> >
> >
> >
> > cudos!
> >
> > this version works MUCH better
> > (It actually runs hehehe)
> >
> > is there a way you can do a placeholder
> > so that only new items since the last tattle
> > are processed ?
> >
> >
> > also.. I might point out...
> >
> > http://www.abuse.net/using.phtml
> >
> > may be a better solution to your whois lookups...
> > ie only do whois on FAILED lookups at abuse.net
> >
> > with this... sniped from the above page...
> >
> > This snippet of perl code will do the lookup and return an
> > array containing the contact addresses:
> >
> > --->snip
> >
> > # look up contacts from abuse.net
> > use Net::DNS;
> > sub ablookup {
> > my ($domain) = @_;
> > my ($res, $query, @r);
> >
> > $res = new Net::DNS::Resolver;
> > while(1) {
> > $query = $res->search("$domain.contacts.abuse.net", "TXT");
> > if ($query) {
> > my $rr;
> >
> > foreach $rr ($query->answer) {
> > push @r, $rr->txtdata if $rr->type eq "TXT";
> > }
> > return @r;
> > } else { # Net::DNS rejects special characters, strip off
> > # subdomains and see if a parent domain works
> > if($domain =~ m{^[^.]+\.([^.]+\..+)}) {
> > $domain = $1;
> > } else {
> > die "Cannot lookup contacts for $domain";
> > }
> > }
> > }
> > }
> > <---snip
> >
> >
> > just a thot...
> > faster and less chance of a heavily hit site
> > from being black listed from the whois servers...
> >
> > kenneth gf brown
> > ceo shadowplay.net
> >
> >
> >
> > > -----Original Message-----
> > > From: intrusions-bounces at lists.sans.org
> > > [mailto:intrusions-bounces at lists.sans.org] On Behalf Of
> > C.J. Steele,
> > > CISSP
> > > Sent: June 7, 2005 06:15
> > > To: intrusions at lists.sans.org
> > > Subject: Re: [Intrusions] SSH Brute forcers
> > >
> > >
> > > I've made a few bug fixes to `tattle` (including one that might
> > > prevent it from working at all on some systems), and would
> readily
> > > accept more peer review of this, if any of you are interested.
> You
> > > can get the latest from http://sodaphish.com/files/tattle
> > >
> > > Those of you who have already provided feedback: please check the
>
> > > latest for fixes to your bugs.
> > >
> > > Cheers,
> > > -C
> > >
> > > --
> > > C.J. Steele, CISSP <coreyjsteele at yahoo.com>
> > > _______________________________________________
> > > Intrusions mailing list
> > > Intrusions at lists.sans.org
> > > http://www.dshield.org/mailman/listinfo/intrusions
> > >
> >
>
>
--
C.J. Steele, CISSP <coreyjsteele at yahoo.com>
More information about the Intrusions
mailing list