SSH1 CRC32 Compensation Attacks

From: Armando B. Ortiz (aortiz@onlinetraffic.com)
Date: Sun Dec 09 2001 - 07:36:49 PST

  • Next message: Jay D. Dyson: "Voluminous SSHd scanning; possible worm activity?" 

    The attacks apparently took down two of our servers in a 4-server
webfarm.  They apparently leave the typical root kits and
compromised/trojaned binaries.

Unfortunately, I can't recover the other boxes and have to rebuild
them.  The intruder left compromised files relating to the operation of
SSH as well as a trojaned SSH daemon.

=:(

-- 
-----------------------------------------------------------------
 From the Linux Box of Armando Ortiz
                       System Administrator
                       OnLineTraffic.com
 Email:  aortiz@onlinetraffic.com
 Download my public key from:
  ftp://209.185.214.98/pub/pubkeys/aortiz@onlinetraffic.com.pub
   or retrieve it from
  http://www.keyserver.net as aortiz@onlinetraffic.com
                             (Public Key expires 01/04/2002)
       All emails from me are signed by this public key.
-----------------------------------------------------------------

    This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 08:35:51 PST