Re: SSH2 Exploit?

From: Ron DuFresne (dufresne@winternet.com)
Date: 02/26/02


Date: Tue, 26 Feb 2002 05:53:22 -0600 (CST)
From: Ron DuFresne <dufresne@winternet.com>
To: John Compton <johny_compton@hotmail.com>


Where;s the copy of the binary here? If others are to help in defining
what you thoink you found, do you not think it proper to put the file up
for review and auditing/debugging?

Thanks,

Ron DuFresne

On Tue, 26 Feb 2002, John Compton wrote:

> Hi,
>
> I recently had a break-in on a redhat linux system. The attacker installed
> what appears to be torn kit, but there was one thing which caught my
> attention. I found a binary named "sshex" on the compromised system. I
> guess this is the exploit used to break in cause most of the servers here
> are kept up-to-date. The system was being used to actively scan for ssh
> servers.
>
> [root@testbox ]# ./sshex
>
> 7350ylonen - x86 ssh2 <= 3.1.0 exploit
> dream team teso
> usage: 7350ylonen [-hd] <-p port> <-t target> <-d packet_delay> host
>
> RH 7.x - SSH-2.0-3.x SSH Secure Shell
> RH 7.x - SSH-2.0-2.x SSH Secure Shell
> RH 6.x - SSH-2.0-2.x SSH Secure Shell
> Slack 8.0 - SSH-2.0-3.x SSH Secure Shell
> SuSE-7.3 - SSH-2.0-3.x SSH Secure Shell
> FreeBSD 4.3 - SSH-2.0-3.x SSH Secure Shell
> FreeBSD 4.3 - SSH-2.0-2.x SSH Secure Shell
>
> It tries to connect to port 22 when I target localhost, but I can't tell if
> sshd is crashing or not as I can't use gdb to attach to the process in time.
> The only SSH vulnerabilities I could find affected SSH1 servers, or
> OpenSSH. Has anyone else found this exploit on their systems or know
> something about it?
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.