Could this potentially be the sftp bug? cve.mitre.org ID: CAN-2001-0816 Jason On 3 Dec 2001 at 11:09, f.johan.beisser wrote: Date sent: Mon, 3 Dec 2001 11:09:03 -0800 (PST) From: "f.johan.beisser" <janat_private> To: <johan.augustssonat_private> Copies to: <incidentsat_private> Subject: Re: Attacks against SSH? > On Mon, 3 Dec 2001 johan.augustssonat_private wrote: > > > > > I stumbeled over this post at openssh-unix-dev mailinglist last week - > > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2 > > The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for > > RedHat 7.0) up and running when he received what looks to be a > > CRC32-attack. A few minutes later you can see (he posted parts of the > > logfile) a new user being created with uid=0 and then how an connection > > is made from system in Israel. > > > > There has been no confirmation about what he writes but I recieved the > > following mail as an answer of my questions. > > [ text cut out] > > > So, to he main question. > > Has anyone else had a system compromised by the CRC32-attack when > > running a version of sshd that is believed to be secure? OpenSSH-2.3.0 > > or later, SSH 1.2.32 or later. > > i've seen quite a few attempts against sshd in the last few days, since > rumours of a "new OpenSSH exploit" started wandering around. > > the thread can be found here: > > http://marc.theaimsgroup.com/?t=100701025700001&w=2&r=1 > > it's a tad bit short on technical details.. but, to summerise: > > 1. There is still no proven exploit against OpenSSH 2.3 > and newer (that i've seen). > > 2. there has been a rise in attacks on ssh daemons in the > last week. > > i tested out a binary exploit that "supposedly" worked on OpenSSH 2.3 to > 3.0 (but not 3.0.1p1), and had it fail each time. it aparently does attack > the CRC bug in unpatched/vulnerable versions of ssh. > > the exploit is (supposedly) encrypted, stripped, and for x86 linux. the > binary has an md5 checksum of 1309689a9af6b82e11e8dfa5c6282c30. it's > ruffly 1.4 megs in size. i've only seen it as "x2". > > > -------/ f. johan beisser /--------------------------------------+ > http://caustic.org/~jan janat_private > "John Ashcroft is really just the reanimated corpse > of J. Edgar Hoover." -- Tim Triche > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -- Jason Robertson Network/Security Analyst jasonat_private http://www.ifuture.com, http://www.astroadvice.com, http://www.astroeast.com Also if you are looking for an employee, I may be available soon, so feel free to contact me for my resume. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 04 2001 - 09:16:55 PST