[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: hijacked SSH sessions



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

i had another questionable MITM attack today.  fortunately, i was connecting to my own server and was able to check the SSH logs.  the connection came from 82.103.134.252/tor-proxy.thing2thing.com.

the interesting thing is: after waiting 2-3 minutes (hoping to get a new circuit and log in to my server securely) i logged in from the same IP/exit node without any complaints from ssh about differing fingerprints!

another interesting observation is that 82.103.134.252 is not listed in the Tor node listing (http://torstat.xenobite.eu/), however 82.103.134.253 (AKA madrid2) is, which also resolves to the same hostname.  in fact, tor-proxy.thing2thing.com seems to have 13 IP addresses.

-----BEGIN PGP SIGNATURE-----

iD8DBQFFcmLAXhfCJNu98qARCJpMAKC/FjCyN5kWC1udDnf9qxrKF1U6GQCdFw/i
lUDkir2bctnxTP33F7WP9rQ=
=q+ZD
-----END PGP SIGNATURE-----