Sorry - the version of ssh I was running was openssh-2.9p2-8.7. The relevant files available here: http://www.leeevans.org/downloads/sshr.tgz I may have to retract my earlier statement that it opened TCP port 1503 - im not so sure on that now. Thanks Lee -- Lee Evans http://www.leeevans.org On Thursday 14 Mar 2002 21:42 pm, you wrote: >Lee, > >Where can I grab a copy of that new sshd that you've obtained. > >Thanks, > >W > > Any chance to give details on running sshd version and possibly examine > the contents? > > Lee Evans <leeat_private> spoke: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > HI - is anyone aware of any open-ssh exploits doing the rounds currently? > > I'm running a fairly up to date version of openssh, although it probably > > is vulnerable to this: > > > > http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=exploit&id= > >4241 > > > > A couple of boxes I look after seem to have been exploited in some > > manner, and this is the only vulnerability I can find that they could be > > potentially susceptible to - however, this looks to be a local-only > > exploit. I was made aware of the problem by tripwire this morning, in > > that it notified me of a change to /usr/sbin/sshd. > > > > The ssh daemons on the box were removed, and a bunch of new stuff was > > installed - ./usr/local/sbin/sshd (a link to:) /usr/local/sbin/sshd2 and > > /usr/local/sbin/sshd-check-config. /usr/sbin/sshd (the original location) > > was then changed to a symbolic link to the newly installed > > /usr/local/sbin/sshd2. The new daemon no longer logs through syslog, and > > appears to open another TCP port (1503). I'm still trying to work out > > exactly what's happened, though, so thats about all the informaton I have > > for the moment. I have copies of the seemingly trojaned binaries, if > > anybody wants them. > > > > Any information anyone can give me will be greatfully received. If i've > > missed some important info, please say so... > > > > Regards > > - -- > > Lee Evans > > http://www.leeevans.org > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.6 (GNU/Linux) > > Comment: For info see http://www.gnupg.org > > > > iD8DBQE8kPYwhtUFQXeFbZYRAgysAKClfSsCwW2UhNt4Am+pN/bte7fNrwCdF528 > > ZhdNXljJ7TV3yIlXvgv8PzI= > > =KG2T > > -----END PGP SIGNATURE----- > > > > > > ------------------------------------------------------------------------- > >--- This list is provided by the SecurityFocus ARIS analyzer service. For > > more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Mar 14 2002 - 16:15:15 PST