Re: Attacks against SSH?

From: johan.augustsson@adm.gu.se
Date: 12/06/01 

Date: Thu, 06 Dec 2001 08:01:04 +0100
From: johan.augustsson@adm.gu.se
To: incidents@securityfocus.com

Has anyone seen anything from this guy?
It would be interesting to know what version of BIND and SSH he was
running and if the logs showed anything at all.

If he was running the latest versions of BIND and OpenSSH that RedHat
has RPMs for and still got compromised I would like to know how that
happened.

--------------------------------------------------------------------
Johan Augustsson Phone: +46 (0)31 773 1000
Incident Response Team Fax: +46 (0)31 773 1087
Göteborg University E-mail: Johan.Augustsson@adm.gu.se
Sweden
--------------------------------------------------------------------

Renee Teunissen wrote:
>
> I was running http/https (apache), smtp (postfix) and named. All with the
> lastest versions. I saw several things in the logs which gave me the
> impression it was sshd. I will send this to the list as soon as I'm home.
>
> Renee.
> ----- Original Message -----
> From: <johan.augustsson@adm.gu.se>
> To: "Renee Teunissen" <renee@wittenburg10c.nl>
> Sent: Tuesday, December 04, 2001 8:32 AM
> Subject: Re: Attacks against SSH?
>
> > Renee Teunissen wrote:
> > >
> > > The same seemed to happened to me last weekend, and am still
> investigating
> > > what went wrong. I thought, sinds I forgot do disable SSH-1, that this
> was
> > > the reason. Is it or not?
> > >
> > > I'm running redhat 7.0 will all the lastest security fixes, could not
> find
> > > anything on securityfocus nor packetstorm about this ssh-problem, and I
> > > fooled or what?
> > >
> >
> >
> > What services where running at the time of the intrusion?
> > What versions? Did you restart sshd after upggrading it?
> >
> > The following will tell you version and protocol of sshd
> > % telnet 192.168.1.2 22
> > Trying 192.168.1.2...
> > Connected to 192.168.1.2
> > Escape character is '^]'.
> > SSH-2.0-OpenSSH_3.0.2p1
> >

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: SSH connection from within a jail
    ... jails with ssh and don't recall having this problem. ... remember explicitly having to do is tell sshd to bind to the jail's ... ssh session with -v it seems that the problem is with tty allocation. ...
    (freebsd-questions)
  • Re: ssh port not opening
    ... It should be started with /etc/ini.d/ssh start as root. ... I cannot ssh into my host. ... that's because sshd is not running and needs to be. ... How do I check the logs? ...
    (Debian-User)
  • ssh port not opening
    ... It should be started with /etc/ini.d/ssh start as root. ... I cannot ssh into my host. ... that's because sshd is not running and needs to be. ... How do I check the logs? ...
    (Debian-User)
  • Re: SSH compiled with backdoor
    ... backdoor passwd into the ssh and wont show up in wtmp, ... ever he logs in as) invisible, so say u login with the username root and ... your use the global hidden passwd it will allow him on as root. ... the file that logs all the logins with time stamps and src ips is "dev/saux" ...
    (Incidents)
  • RE: How to display IP of ssh user in message?
    ... How to display IP of ssh user in message? ... - Have a warning banner enabled at log in. ... do a lastb and it logs it by, ...
    (RedHat)
Loading