[unisog] SSH CRC32 Overflow Filler Exploit and Password Guessing

Lois Lehman LOIS.LEHMAN at asu.edu
Mon Jun 20 17:36:27 GMT 2005

Is anyone else seeing an increase in the SSH CRC32 Overflow Filler
exploit followed by attempts to guess passwords on port 22 (SSH)?

In one building here on June 16, we had over 70,000 alerts on our IDS
for the CRC32 overflow exploit.  We also saw system logs showing the
attempts to guess passwords using port 22 from some of the same IP
numbers that were the source of the CRC32 exploit attempts.  

There were multiple source IP addresses targeting the same destination
IP addresses here on campus during a small window of time.  Each
destination IP had an average of 750 exploit packets sent to it.  The
source of the exploits were in China, Taiwan, US, Czech Republic, Italy,
and Hong Kong for a few.

Does anyone have similar activity happening on your campus?  Or is our
campus special?  

Lois Lehman
Arizona State University
College of Liberal Arts & Sciences IT
Computing Manager
Information Assurance Coordinator

More information about the unisog mailing list