[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: hijacked SSH sessions

Thus spake Taka Khumbartha (scarreigns@xxxxxxxxx):

> today i have had several attempted "man in the middle" attacks on my
> SSH sessions.  i am not sure which exit node(s) i was using, but the
> MD5 hash of the fingerprint of the spoofed host key is:
> 4d:64:6f:bc:bf:4a:fa:bd:ce:00:b0:8e:c9:40:60:57
> and it does not matter which host i connect to, the MD5 hash
> presented it always the same.

Interesting. Could be another upstream chinese ISP, or DNS poisoning
again. Were you using SOCKS4A/SOCKS5 or did you connect direct to an

I just wrote a scanner for this for SOAT and have been scanning for an
hour or so now. Haven't seen it yet, but I'm using tsocks so if they
did it with DNS, I'm not gonna see it yet.. Or perhaps they saw your
mail and shut 'er down. I'll keep scanning though.

Anyone know a clever way to get a random sampling of ssh hosts
without brute-force IP scanning? I don't need logins, just IPs.

Mike Perry
Mad Computer Scientist
fscked.org evil labs