Re: chkrootkit reporting sshd vulnerable?

From: nickd@nospam.demon.co.uk
Date: 12/29/01


From: nickd@nospam.demon.co.uk
Date: Sat, 29 Dec 2001 12:13:33 GMT

Richard E. Silverman <slade@shore.net> wrote:
>>>>>> "DZ" == Doctor Zen <hidden@from.spammers.net> writes:
>
> DZ> ssh 3.0.1 (commercial) and chkrootkit v0.33 When I run chkrootkit
> DZ> locally it reports sshd not vulnerable, but when I ssh into the
> DZ> box and then run chkrootkit on it in the shell I get "sshd
> DZ> vulnerable but disabled".
>
> This is a little confusing. When you say "locally," I think you actually
> mean remotely -- that is on "the box" in question from elsewhere,
> examining its open network ports.

Chkrootkit only works locally, worth two minutes of your time Mr. Silverman
:) AIUI it only looks for trojans, and won't determine whether a daemon is
vulnerable or not.

> Anyway, I don't know anything about chkrootkit, but this makes sense.
> Assuming it is referring to a vulnerability in sshd1, when scanning the
> box remotely, the tool can only see that protocol 1 is disabled, and so
> reports that the host is not vulnerable. Running it on the host, however,
> it can see that sshd1 is installed, but not available, and so it reports
> that.

I haven't seen similar on boxes I'm running using OpenSSH. However looking
at the other reply in this thread, I note that running strings on sshd does
show lines containing:

01234567890./

Which might be setting off chkrootkit alarms.

OP, if you're willing to trawl through the output of strace that might be
useful to use here.

-- 
"Anyone with the naivety to run IIS is, IMHO, automatically suspect when it
 comes to doing anything technical, such as setting a clock."



Relevant Pages

  • Re: chkrootkit reporting sshd vulnerable?
    ... > DZ> locally it reports sshd not vulnerable, but when I ssh into the ... > Anyway, I don't know anything about chkrootkit, but this makes sense. ... > Assuming it is referring to a vulnerability in sshd1, ... > reports that the host is not vulnerable. ...
    (comp.security.ssh)
  • Re: [Full-disclosure] Vulnerabilities digest
    ... Elektreports protection bypass vulnerability in ... Original message (in Russian): ...
    (Full-Disclosure)
  • [Full-disclosure] Vulnerabilities digest
    ... Original message (in Russian): http://securityvulns.ru/Sdocument67.html ... MustLive reports Crossite-Cripting vulnerability in WordPress ... Original message: http://securityvulns.ru/Rdocument875.html ...
    (Full-Disclosure)
  • Vulnerabilities digest
    ... Original message (in Russian): http://securityvulns.ru/Sdocument67.html ... MustLive reports Crossite-Cripting vulnerability in WordPress ... Original message: http://securityvulns.ru/Rdocument875.html ...
    (Bugtraq)
  • Manage Engine Exchange Reporter v4.1 - Multiple Web Vulnerabilites
    ... Manage Engine Exchange Reporter v4.1 - Multiple Web Vulnerabilites ... Microsoft Exchange Server is, by a distance, the most popular communication, collaboration and email messaging application today! ... The range includes reports of crucial importance. ... The Vulnerability Laboratory Research Team discovered multiple web vulnerabilities in Exchange Reporter v4.1 Plus. ...
    (Bugtraq)