Re: chkrootkit reporting sshd vulnerable?

From: nickd@nospam.demon.co.uk
Date: 12/31/01

  • Next message: Petri Kaukasoina: "Re: SSH doesn't work without a user logged in?" 

    From: nickd@nospam.demon.co.uk
Date: Mon, 31 Dec 2001 11:56:33 GMT

    Doctor Zen <hidden@from.spammers.net> wrote:

    >> DZ> ssh 3.0.1 (commercial) and chkrootkit v0.33 When I run chkrootkit
    >> DZ> locally it reports sshd not vulnerable, but when I ssh into the
    >> DZ> box and then run chkrootkit on it in the shell I get "sshd
    >> DZ> vulnerable but disabled".
    >> >> This is a little confusing. When you say "locally," I think you
    >> >> actually mean remotely -- that is on "the box" in question from
    >> >> elsewhere, examining its open network ports.
    >>
    >> DZ> No, "locally" means sitting at the keyboard with the box in front
    >> DZ> of me.
    >>
    >> Oh -- you meant you get different results depending on whether you log in
    >> on the console, versus logging via SSH and running the same tool? I would
    >> say in both cases you're running chkrootkit "locally." Whatever.

    Doctor Zen, as I understand it both of those situations - physically at the
    console or ssh'ed in from another host - as "local" to Unix is just about
    every sense. That's what makes this problem so interesting.

    > For example:
    >
    > <sit in front of machineA>
    > root@machineA # chkrootkit
    > sshd not vulnerable
    >
    > <go upstairs and sit in front of machineB>
    >
    > me@machineB # ssh -l root machineA
    > root@machineA # chkrootkit
    > sshd vulnerable but disabled
    >
    > I hope this clarifies it for you, and BTW if you reverse the scenario (test
    > machineB both locally and from machineA) the result is the same.

    This is an interesting one. If you're willing to pursue this please do take
    a look at "man strace", using that program you can maybe see exactly what is
    setting off this alarm in chkrootkit. I'd be interested in the solution to
    this one. 

    -- 
"Anyone with the naivety to run IIS is, IMHO, automatically suspect when it
 comes to doing anything technical, such as setting a clock."

    Relevant Pages

    • Re: chkrootkit reporting sshd vulnerable?
      ... > DZ> locally it reports sshd not vulnerable, but when I ssh into the ... > DZ> box and then run chkrootkit on it in the shell I get "sshd ... versus logging via SSH and running the same tool? ... <sit in front of machineA> ...
      (comp.security.ssh)
    • Re: ssh with tcp_wrappers!! contd/-
      ... Thanks a lot for such a huge response, of course typing mistake, i was using DenyHost not DenyGhost; as suggested by david and others i did this, ... Login, as root, to my Linux system containing the sshd server. ... i am not willing to compile openssh package is there any way out via rpm installation. ... Then try to ssh to localhost. ...
      (RedHat)
    • Re: use ipchains to block all ports > 60,000
      ... else going on here except sshd which allows me to log in and monitor the ... Telnet not running but here's the ouput of ssh -V and sshd -V ... OK, ran that from an external box and it showed open ports 22, 80, plus ... My ISP looked for evidence of massive scans emanating from my ip address ...
      (comp.os.linux.security)
    • remote administration of upgrades
      ... server that I administer runs FreeBSD 4.8, ... have ssh access to ... don't want to fubar sshd and then not be able to ... kill only the ...
      (freebsd-questions)
    • Re: Is OpenSSH 3.5p1 secure?
      ... Do not allow root access over ssh. ... Do allow access over ssh for one and only one user. ... Here are a couple specific recommendations for you that you may wish ... Make sure your Protocol 2 RSA or DSA sshd keys are at the very ...
      (comp.security.ssh)