Wednesday, October 15, 2008

Why Patch?

This morning I was looking through my SSH server logs and as usual I saw the standard brute force attempts. I thought I would spend a few minutes looking at why certain IP's had nothing better to do than to through some lame ass dictionary attack at me.

So first I would SSH into my box and grep through the logs for failed login attempts.

grep -i failed /var/log/auth.log | less




First I took just one IP from my logs, and Nmap'd it (well they started it!). I found a single SSH port open running a vulnerable version of OpenSSH.

nmap -F 199.33.132.127 -PN



Okay, so using nmap fast scan (looking for the most common ports) I see that port 22 is open.

Now I used a really great website called clez.net to look at the port in more detail.



This site gives me the SSH version and plenty of other intresting info.

So now if I google the SSH version I quickly find that it's an old vulnerable version (OpenSSH 3.9p1).



So it would seem that some poor sucker has got his box owned and now he is scanning my box.

So that's it really. I just wanted to demonstrate to anyone who might read this why it is important to patch.

No comments: