hijacked SSH sessions
Mike Perry
mikepery at fscked.org
Tue Oct 17 07:27:34 UTC 2006
Thus spake Taka Khumbartha (scarreigns at gmail.com):
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>
> Mike Perry @ 2006/10/16 13:25:
> > Thus spake Taka Khumbartha (scarreigns at gmail.com):
> >
> >> today i have had several attempted "man in the middle" attacks on
> >> my SSH sessions. i am not sure which exit node(s) i was using,
> >> but the MD5 hash of the fingerprint of the spoofed host key is:
> >>
> >> 4d:64:6f:bc:bf:4a:fa:bd:ce:00:b0:8e:c9:40:60:57
> >>
> >> and it does not matter which host i connect to, the MD5 hash
> >> presented it always the same.
> >
> > Interesting. Could be another upstream chinese ISP, or DNS
> > poisoning again. Were you using SOCKS4A/SOCKS5 or did you connect
> > direct to an IP?
> >
>
> i was using socks4 protocol within my ssh application, but directly
> passed an IP address to Tor.
Hrm. Guess it wasn't random DNS redirect then.
Well either they must have been scared off, or I'm blind. Cause
I'm not seeing this now. Been through almost every exit node in the
directory a few times now..
Probably actually malicious though, since I don't think China would be
intimidated by some posts on the Tor list ;)
Please post if you notice it again.
--
Mike Perry
Mad Computer Scientist
fscked.org evil labs
More information about the tor-talk
mailing list