ssh exploit
From: Lee Evans (lee@leeevans.org)Date: 03/14/02
- Previous message: John Rodley: "RE: FTP back in Vogue?"
- Next in thread: Lee Evans: "Re: ssh exploit"
- Reply: Lee Evans: "Re: ssh exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Lee Evans <lee@leeevans.org> To: incidents@securityfocus.com Date: Thu, 14 Mar 2002 19:12:47 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
HI - is anyone aware of any open-ssh exploits doing the rounds currently? I'm
running a fairly up to date version of openssh, although it probably is
vulnerable to this:
http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=exploit&id=4241
A couple of boxes I look after seem to have been exploited in some manner, and
this is the only vulnerability I can find that they could be potentially
susceptible to - however, this looks to be a local-only exploit. I was made
aware of the problem by tripwire this morning, in that it notified me of a
change to /usr/sbin/sshd.
The ssh daemons on the box were removed, and a bunch of new stuff was
installed - ./usr/local/sbin/sshd (a link to:) /usr/local/sbin/sshd2 and
/usr/local/sbin/sshd-check-config. /usr/sbin/sshd (the original location) was
then changed to a symbolic link to the newly installed /usr/local/sbin/sshd2.
The new daemon no longer logs through syslog, and appears to open another TCP
port (1503). I'm still trying to work out exactly what's happened, though, so
thats about all the informaton I have for the moment. I have copies of the
seemingly trojaned binaries, if anybody wants them.
Any information anyone can give me will be greatfully received. If i've missed
some important info, please say so...
Regards
- --
Lee Evans
http://www.leeevans.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8kPYwhtUFQXeFbZYRAgysAKClfSsCwW2UhNt4Am+pN/bte7fNrwCdF528
ZhdNXljJ7TV3yIlXvgv8PzI=
=KG2T
-----END PGP SIGNATURE-----
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: John Rodley: "RE: FTP back in Vogue?"
- Next in thread: Lee Evans: "Re: ssh exploit"
- Reply: Lee Evans: "Re: ssh exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
