[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: hijacked SSH sessions

Thus spake Taka Khumbartha (scarreigns@xxxxxxxxx):

> Mike Perry @ 2006/10/16 13:25:
> > Thus spake Taka Khumbartha (scarreigns@xxxxxxxxx):
> > 
> >> today i have had several attempted "man in the middle" attacks on
> >> my SSH sessions.  i am not sure which exit node(s) i was using,
> >> but the MD5 hash of the fingerprint of the spoofed host key is:
> >>
> >> 4d:64:6f:bc:bf:4a:fa:bd:ce:00:b0:8e:c9:40:60:57
> >>
> >> and it does not matter which host i connect to, the MD5 hash
> >> presented it always the same.
> > 
> > Interesting. Could be another upstream chinese ISP, or DNS
> > poisoning again. Were you using SOCKS4A/SOCKS5 or did you connect
> > direct to an IP?
> > 
> i was using socks4 protocol within my ssh application, but directly
> passed an IP address to Tor.

Hrm. Guess it wasn't random DNS redirect then.

Well either they must have been scared off, or I'm blind. Cause
I'm not seeing this now. Been through almost every exit node in the
directory a few times now..

Probably actually malicious though, since I don't think China would be
intimidated by some posts on the Tor list ;)

Please post if you notice it again.

Mike Perry
Mad Computer Scientist
fscked.org evil labs