Be vigilant for the keywords "corrupted check bytes" and "CRC errors" in your SSH logs. There have been many reports of SSH1 probes and attacks in the last two weeks, on the incidentsat_private and intrusionsat_private mailing lists. tbird ---------- Forwarded message ---------- Date: Tue, 23 Oct 2001 13:17:21 -0400 (EDT) From: Max Parke <mhpat_private> To: bugtraqat_private Subject: SSH deja vu Sorry if this is already a known issue. When the vulnerabilities in ssh-1.xx were publicised, we upgraded to ssh-2.xx on our machines. The process for ssh version 2.xx does NOT erase sshd1 from /usr/local/sbin, and if an incoming client is still running the old ssh version 1, sshd2 will hand off control to /usr/local/sbin/sshd1 (of course, this can be disabled). It appears that if your old sshd from version 1 was vulnerable before installing ssh version 2, YOU ARE STILL VULNERABLE. We have information that this problem is currently being actively exploited, and scans for vulnerable machines are being conducted. Messages such as the following (note: sshd, not sshd2) indicate that a scan may be in progress: sshd[6169]: fatal: Local: Corrupted check bytes on input. sshd[6253]: fatal: Local: crc32 compensation attack: network attack detected --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 15:06:56 PDT