Re: chkrootkit reporting sshd vulnerable?
From: nickd@nospam.demon.co.ukDate: 12/29/01
- Next message: Doctor Zen: "Re: chkrootkit reporting sshd vulnerable?"
- Previous message: Henri Karrenbeld: "Re: chkrootkit reporting sshd vulnerable?"
- In reply to: Richard E. Silverman: "Re: chkrootkit reporting sshd vulnerable?"
- Next in thread: Doctor Zen: "Re: chkrootkit reporting sshd vulnerable?"
- Reply: Doctor Zen: "Re: chkrootkit reporting sshd vulnerable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: nickd@nospam.demon.co.uk Date: Sat, 29 Dec 2001 12:13:33 GMT
Richard E. Silverman <slade@shore.net> wrote:
>>>>>> "DZ" == Doctor Zen <hidden@from.spammers.net> writes:
>
> DZ> ssh 3.0.1 (commercial) and chkrootkit v0.33 When I run chkrootkit
> DZ> locally it reports sshd not vulnerable, but when I ssh into the
> DZ> box and then run chkrootkit on it in the shell I get "sshd
> DZ> vulnerable but disabled".
>
> This is a little confusing. When you say "locally," I think you actually
> mean remotely -- that is on "the box" in question from elsewhere,
> examining its open network ports.
Chkrootkit only works locally, worth two minutes of your time Mr. Silverman
:) AIUI it only looks for trojans, and won't determine whether a daemon is
vulnerable or not.
> Anyway, I don't know anything about chkrootkit, but this makes sense.
> Assuming it is referring to a vulnerability in sshd1, when scanning the
> box remotely, the tool can only see that protocol 1 is disabled, and so
> reports that the host is not vulnerable. Running it on the host, however,
> it can see that sshd1 is installed, but not available, and so it reports
> that.
I haven't seen similar on boxes I'm running using OpenSSH. However looking
at the other reply in this thread, I note that running strings on sshd does
show lines containing:
01234567890./
Which might be setting off chkrootkit alarms.
OP, if you're willing to trawl through the output of strace that might be
useful to use here.
-- "Anyone with the naivety to run IIS is, IMHO, automatically suspect when it comes to doing anything technical, such as setting a clock."
- Next message: Doctor Zen: "Re: chkrootkit reporting sshd vulnerable?"
- Previous message: Henri Karrenbeld: "Re: chkrootkit reporting sshd vulnerable?"
- In reply to: Richard E. Silverman: "Re: chkrootkit reporting sshd vulnerable?"
- Next in thread: Doctor Zen: "Re: chkrootkit reporting sshd vulnerable?"
- Reply: Doctor Zen: "Re: chkrootkit reporting sshd vulnerable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
