-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HI - is anyone aware of any open-ssh exploits doing the rounds currently? I'm running a fairly up to date version of openssh, although it probably is vulnerable to this: http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=exploit&id=4241 A couple of boxes I look after seem to have been exploited in some manner, and this is the only vulnerability I can find that they could be potentially susceptible to - however, this looks to be a local-only exploit. I was made aware of the problem by tripwire this morning, in that it notified me of a change to /usr/sbin/sshd. The ssh daemons on the box were removed, and a bunch of new stuff was installed - ./usr/local/sbin/sshd (a link to:) /usr/local/sbin/sshd2 and /usr/local/sbin/sshd-check-config. /usr/sbin/sshd (the original location) was then changed to a symbolic link to the newly installed /usr/local/sbin/sshd2. The new daemon no longer logs through syslog, and appears to open another TCP port (1503). I'm still trying to work out exactly what's happened, though, so thats about all the informaton I have for the moment. I have copies of the seemingly trojaned binaries, if anybody wants them. Any information anyone can give me will be greatfully received. If i've missed some important info, please say so... Regards - -- Lee Evans http://www.leeevans.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8kPYwhtUFQXeFbZYRAgysAKClfSsCwW2UhNt4Am+pN/bte7fNrwCdF528 ZhdNXljJ7TV3yIlXvgv8PzI= =KG2T -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Mar 14 2002 - 13:31:19 PST