Re: Attacks against SSH?

From: johan.augustssonat_private
Date: Wed Dec 05 2001 - 23:01:04 PST

Next message: Skip Carter: "Re: Attacks against SSH?"

Previous message: Skip Carter: "Re: Attacks against SSH?"
Next in thread: Skip Carter: "Re: Attacks against SSH?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Has anyone seen anything from this guy?
It would be interesting to know what version of BIND and SSH he was
running and if the logs showed anything at all.

If he was running the latest versions of BIND and OpenSSH that RedHat
has RPMs for and still got compromised I would like to know how that
happened.

--------------------------------------------------------------------
Johan Augustsson                 Phone: +46 (0)31 773 1000
Incident Response Team           Fax: +46 (0)31 773 1087
Göteborg University              E-mail: Johan.Augustssonat_private
Sweden
--------------------------------------------------------------------


Renee Teunissen wrote:
> 
> I was running http/https (apache), smtp (postfix) and named. All with the
> lastest versions. I saw several things in the logs which gave me the
> impression it was sshd. I will send this to the list as soon as I'm home.
> 
> Renee.
> ----- Original Message -----
> From: <johan.augustssonat_private>
> To: "Renee Teunissen" <reneeat_private>
> Sent: Tuesday, December 04, 2001 8:32 AM
> Subject: Re: Attacks against SSH?
> 
> > Renee Teunissen wrote:
> > >
> > > The same seemed to happened to me last weekend, and am still
> investigating
> > > what went wrong. I thought, sinds I forgot do disable SSH-1, that this
> was
> > > the reason. Is it or not?
> > >
> > > I'm running redhat 7.0 will all the lastest security fixes, could not
> find
> > > anything on securityfocus nor packetstorm about this ssh-problem, and I
> > > fooled or what?
> > >
> >
> >
> > What services where running at the time of the intrusion?
> > What versions? Did you restart sshd after upggrading it?
> >
> > The following will tell you version and protocol of sshd
> > % telnet 192.168.1.2 22
> > Trying 192.168.1.2...
> > Connected to 192.168.1.2
> > Escape character is '^]'.
> > SSH-2.0-OpenSSH_3.0.2p1
> >

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Skip Carter: "Re: Attacks against SSH?"
Previous message: Skip Carter: "Re: Attacks against SSH?"
Next in thread: Skip Carter: "Re: Attacks against SSH?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 06 2001 - 10:11:34 PST