Re: SSH2 Exploit?

[condor () SEKURE ORG (Thiago/c0nd0r)]

His machine was not running QPOP, but a simple POP Server, which does not
have any known remote exploitation. It seems to be something with the SSH2
daemon.

Regards,

-condor
www.sekure.org
 s e k u r e

Portal Brasileiro de Seguranca
www.securenet.com.br

On Fri, 11 Feb 2000, Jonathan A. Zdziarski wrote:

> I know the latest qpopper has exploits which is why we use the pre-beta
> versions.  I've since wrapped ssh to run from inetd, and prevented any
> connections outside of our network.
>
> Thank you,
>
> Jonathan A. Zdziarski
> Director - MIS
> NetRail, inc.
> 230 Peachtree St.
> Suite 1700
> Atlanta, GA 30303
> 404-522-5400 x240
>
>
> > -----Original Message-----
> > From: Thiago/c0nd0r [mailto:condor () sekure org]
> > Sent: Friday, February 11, 2000 7:35 AM
> > To: Jonathan A. Zdziarski
> > Cc: incidents () lists securityfocus com
> > Subject: Re: SSH2 Exploit?
> >
> >
> >
> > A friend of mine had the same problem. It was a linux box running SSH2
> > and a native  POP server (the latest version). As it was complete erased,
> > I was unable to recover further information.
> >
> > -condor
> > www.sekure.org
> >  s e k u r e
> >
> > Portal Brasileiro de Seguranca
> > www.securenet.com.br
> >
> > On Wed, 9 Feb 2000, Jonathan A. Zdziarski wrote:
> >
> > > We recently had one of our remote logging servers compromised.  It was
> > > totally locked down running only ssh2; all inet processes were
> > turned off.
> > > Unfortunately, they obliterated the disk so we were not able to get any
> > > information about how they exploited our machine, however since the only
> > > point of entry was SSH2, I'm very concerned about a possibly
> > vulnerability
> > > in the code.  What is the general consensus of the 'most
> > secure' version of
> > > ssh? 1.2.27?
> > >
> > > Thank you,
> > >
> > > Jonathan A. Zdziarski
> > > Director - MIS
> > > NetRail, inc.
> > > 230 Peachtree St.
> > > Suite 1700
> > > Atlanta, GA 30303
> > > 404-522-5400 x240