[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: hijacked SSH sessions
- To: or-talk@xxxxxxxx
- Subject: Re: hijacked SSH sessions
- From: Taka Khumbartha <scarreigns@xxxxxxxxx>
- Date: Sat, 02 Dec 2006 22:38:55 -0700
- Delivered-to: firstname.lastname@example.org
- Delivered-to: email@example.com
- Delivered-to: firstname.lastname@example.org
- Delivery-date: Sun, 03 Dec 2006 00:36:21 -0500
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:organization:mime-version:to:subject:references:in-reply-to:content-type:content-transfer-encoding; b=dl0lt75nQl4a7chQa7Oy28QXbdHncA5ZwDYg3cq3FzRW9ficeGFbxdZ1tA95XybLLZpke9HNg/6Ok2LCaYV1dlRTsZluCLS6dWw9xbftXoV2gtVS6dba76cbXxA9TxeG6IH5Xq/Fj2h9AadyZWejYQ3Ime7cvbZtthsRuwuMZOc=
- In-reply-to: <email@example.com>
- Organization: Scar Reigns, Inc.
- References: <firstname.lastname@example.org>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
-----BEGIN PGP SIGNED MESSAGE-----
i had another questionable MITM attack today. fortunately, i was connecting to my own server and was able to check the SSH logs. the connection came from 22.214.171.124/tor-proxy.thing2thing.com.
the interesting thing is: after waiting 2-3 minutes (hoping to get a new circuit and log in to my server securely) i logged in from the same IP/exit node without any complaints from ssh about differing fingerprints!
another interesting observation is that 126.96.36.199 is not listed in the Tor node listing (http://torstat.xenobite.eu/), however 188.8.131.52 (AKA madrid2) is, which also resolves to the same hostname. in fact, tor-proxy.thing2thing.com seems to have 13 IP addresses.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----