Before I blocked all of China, I saw something very similar on an ssh honeypot I run.
Every few hours or so, I'd get the following: http://sprunge.us/OGfE Seemed totally automated. J. Stuart McMurray On Fri, Aug 15, 2014 at 1:51 PM, Josh Grosse <j...@jggimi.homeip.net> wrote: > On 2014-08-15 12:38, Mihai Popescu wrote: > >> On June 29, there was a 5.5-stable update to www/owncloud to release >>> 6.0.4 to fix a security issue. >>> >> >> The developers annoucement, from the webpage for this thingie ( i >> don't know what the hell this software is doing): >> -------------- >> >> Yeah, you were screwed! >> > > There are a number of security issues that have been fixed in that release > -- if > I read their web page correctly -- including one which that project > perceives to be a > high-risk issue: > > https://owncloud.org/security/advisory/?id=oc-sa-2014-018 > > There's also a big one, that earlier this month that project decided > *not to fix*. I don't know anything about OwnCloud either, but this sort > of issue is > one that should probably be addressed. > > https://senderek.ie/archive/2014/owncloud_unencrypted_ > private_key_exposure.php > > "An attacker, who is able to read the PHP session files by exploiting > another > web application that is running on the ownCloud server, will be able to > gather > the unencrypted private key of every ownCloud user. All encrypted files > that > are stored in a user's home directory can be decrypted with this RSA > private > key, stored in the PHP session files in plain text. If the user's encrypted > files are synced to other devices or shared with other servers - for > hosting > or backup - an attacker will be able to decrypt all user data that is being > intercepted, even if the attacker has no longer access to the server's file > system."
