[unisog] SSH CRC32 Overflow Filler Exploit and Password Guessing

Lois Lehman LOIS.LEHMAN at asu.edu
Tue Jun 21 14:51:19 GMT 2005


Peter, I hope they don't get there.  Perhaps all your unix/linux admins
have removed the vulnerability!  

Lois Lehman
Arizona State University
College of Liberal Arts & Sciences IT
Computing Manager
Information Assurance Coordinator
480-965-3139


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Peter Van Epp
Sent: Monday, June 20, 2005 3:41 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] SSH CRC32 Overflow Filler Exploit and Password
Guessing

On Mon, Jun 20, 2005 at 10:36:27AM -0700, Lois Lehman wrote:
> Is anyone else seeing an increase in the SSH CRC32 Overflow Filler
> exploit followed by attempts to guess passwords on port 22 (SSH)?
> 
> In one building here on June 16, we had over 70,000 alerts on our IDS
> for the CRC32 overflow exploit.  We also saw system logs showing the
> attempts to guess passwords using port 22 from some of the same IP
> numbers that were the source of the CRC32 exploit attempts.  
> 
> There were multiple source IP addresses targeting the same destination
> IP addresses here on campus during a small window of time.  Each
> destination IP had an average of 750 exploit packets sent to it.  The
> source of the exploits were in China, Taiwan, US, Czech Republic,
Italy,
> and Hong Kong for a few.
> 
> Does anyone have similar activity happening on your campus?  Or is our
> campus special?  
> 
> Lois Lehman
> Arizona State University
> College of Liberal Arts & Sciences IT
> Computing Manager
> Information Assurance Coordinator
> 480-965-3139
> 
> 
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog

	I'm seeing the usual, generally unsuccessful scans up the
network for
port 22, but not (at least so far) the typical CRC32 attack of many many

hits on 22 against a single host. Of course they just may not have
gotten 
here yet.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list