[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: hijacked SSH sessions

To: or-talk@xxxxxxxxxxxxx
Subject: Re: hijacked SSH sessions
From: Mike Perry <mikepery@xxxxxxxxxx>
Date: Mon, 16 Oct 2006 15:25:56 -0500
Delivered-to: archiver@seul.org
Delivered-to: or-talk-outgoing@seul.org
Delivered-to: or-talk@seul.org
Delivery-date: Mon, 16 Oct 2006 16:28:03 -0400
In-reply-to: <45331411.2020203@gmail.com>
References: <45331411.2020203@gmail.com>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mutt/1.4.1i

Thus spake Taka Khumbartha (scarreigns@xxxxxxxxx):

> today i have had several attempted "man in the middle" attacks on my
> SSH sessions.  i am not sure which exit node(s) i was using, but the
> MD5 hash of the fingerprint of the spoofed host key is:
> 
> 4d:64:6f:bc:bf:4a:fa:bd:ce:00:b0:8e:c9:40:60:57
> 
> and it does not matter which host i connect to, the MD5 hash
> presented it always the same.

Interesting. Could be another upstream chinese ISP, or DNS poisoning
again. Were you using SOCKS4A/SOCKS5 or did you connect direct to an
IP?

I just wrote a scanner for this for SOAT and have been scanning for an
hour or so now. Haven't seen it yet, but I'm using tsocks so if they
did it with DNS, I'm not gonna see it yet.. Or perhaps they saw your
mail and shut 'er down. I'll keep scanning though.

Anyone know a clever way to get a random sampling of ssh hosts
without brute-force IP scanning? I don't need logins, just IPs.

-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs

Follow-Ups:
- Re: hijacked SSH sessions
  - From: Taka Khumbartha

References:
- hijacked SSH sessions
  - From: Taka Khumbartha

Prev by Author: Re: Snakes On A Tor Scanner - 0.0.4
Next by Author: Re: hijacked SSH sessions
Previous by thread: Re: hijacked SSH sessions
Next by thread: Re: hijacked SSH sessions
Index(es):
- Author
- Thread