Re: SSH2 Exploit?

From: Ron DuFresne (dufresne@winternet.com)
Date: 02/26/02


Date: Tue, 26 Feb 2002 05:53:22 -0600 (CST)
From: Ron DuFresne <dufresne@winternet.com>
To: John Compton <johny_compton@hotmail.com>


Where;s the copy of the binary here? If others are to help in defining
what you thoink you found, do you not think it proper to put the file up
for review and auditing/debugging?

Thanks,

Ron DuFresne

On Tue, 26 Feb 2002, John Compton wrote:

> Hi,
>
> I recently had a break-in on a redhat linux system. The attacker installed
> what appears to be torn kit, but there was one thing which caught my
> attention. I found a binary named "sshex" on the compromised system. I
> guess this is the exploit used to break in cause most of the servers here
> are kept up-to-date. The system was being used to actively scan for ssh
> servers.
>
> [root@testbox ]# ./sshex
>
> 7350ylonen - x86 ssh2 <= 3.1.0 exploit
> dream team teso
> usage: 7350ylonen [-hd] <-p port> <-t target> <-d packet_delay> host
>
> RH 7.x - SSH-2.0-3.x SSH Secure Shell
> RH 7.x - SSH-2.0-2.x SSH Secure Shell
> RH 6.x - SSH-2.0-2.x SSH Secure Shell
> Slack 8.0 - SSH-2.0-3.x SSH Secure Shell
> SuSE-7.3 - SSH-2.0-3.x SSH Secure Shell
> FreeBSD 4.3 - SSH-2.0-3.x SSH Secure Shell
> FreeBSD 4.3 - SSH-2.0-2.x SSH Secure Shell
>
> It tries to connect to port 22 when I target localhost, but I can't tell if
> sshd is crashing or not as I can't use gdb to attach to the process in time.
> The only SSH vulnerabilities I could find affected SSH1 servers, or
> OpenSSH. Has anyone else found this exploit on their systems or know
> something about it?
>
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.



Relevant Pages

  • Re: Forcing XP to authenticate within local sites
    ... There are 4 local servers, ... name in DNS. ... Download details Windows Server 2003 Active Directory Branch Office Guide: ... proper locations and are getting registered into DNS under their appropriate ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS forwarders and Exchange external DNS servers
    ... > Servers. ... The proper recommendation for AD and Exchange to properly function is to use ... only your internal DNS servers that host the AD zone. ... So the proper response is, it depends on your network and AD topology. ...
    (microsoft.public.win2000.dns)
  • Re: relaying denied
    ... > We used to have two servers: X and Y. We had Sendmail running only on one ... > setup of what is running on each server. ... > both servers. ... problem with not proper working DNS. ...
    (Fedora)
  • Re: OT: FOAK, Simple Networking.
    ... servers - are you>> connecting via wireless or is there a cable to ... it's possible that you're not getting a proper address ...
    (uk.rec.motorcycles)