[unisog] SSH CRC32 Overflow Filler Exploit and Password Guessing

Peter Van Epp vanepp at sfu.ca
Mon Jun 20 22:40:47 GMT 2005


On Mon, Jun 20, 2005 at 10:36:27AM -0700, Lois Lehman wrote:
> Is anyone else seeing an increase in the SSH CRC32 Overflow Filler
> exploit followed by attempts to guess passwords on port 22 (SSH)?
> 
> In one building here on June 16, we had over 70,000 alerts on our IDS
> for the CRC32 overflow exploit.  We also saw system logs showing the
> attempts to guess passwords using port 22 from some of the same IP
> numbers that were the source of the CRC32 exploit attempts.  
> 
> There were multiple source IP addresses targeting the same destination
> IP addresses here on campus during a small window of time.  Each
> destination IP had an average of 750 exploit packets sent to it.  The
> source of the exploits were in China, Taiwan, US, Czech Republic, Italy,
> and Hong Kong for a few.
> 
> Does anyone have similar activity happening on your campus?  Or is our
> campus special?  
> 
> Lois Lehman
> Arizona State University
> College of Liberal Arts & Sciences IT
> Computing Manager
> Information Assurance Coordinator
> 480-965-3139
> 
> 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

	I'm seeing the usual, generally unsuccessful scans up the network for
port 22, but not (at least so far) the typical CRC32 attack of many many 
hits on 22 against a single host. Of course they just may not have gotten 
here yet.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada


More information about the unisog mailing list