Security Incidents mailing list archives
Re: SSH1 CRC32 Compensation Attacks
From: Armando Ortiz <aortiz () onlinetraffic com>
Date: 10 Dec 2001 12:15:48 -0800
Upon further investigation of the compromise, I did discover another nifty little thing: This person, be it a root kit or an actual individual that did it, added a password to our user "mail" account. I'm guessing that in the event of a patch being applied to the server where all trojans were removed, the user "mail" could login. This was found in the /etc/shadow file. The user "mail" should not have a password as far as I'm aware. Regards. On Sun, 2001-12-09 at 07:36, Armando B. Ortiz wrote:
The attacks apparently took down two of our servers in a 4-server webfarm. They apparently leave the typical root kits and compromised/trojaned binaries. Unfortunately, I can't recover the other boxes and have to rebuild them. The intruder left compromised files relating to the operation of SSH as well as a trojaned SSH daemon. =:(
-- ----------------------------------------------------------------- From the Linux Box of Armando Ortiz System Administrator OnLineTraffic.com Email: aortiz () onlinetraffic com Download my public key from: ftp://209.185.214.98/pub/pubkeys/aortiz () onlinetraffic com pub or retrieve it from http://www.keyserver.net as aortiz () onlinetraffic com (Public Key expires 01/04/2002) All emails from me are signed by this public key. -----------------------------------------------------------------
Attachment:
_bin
Description:
Current thread:
- Re: Attacks against SSH?, (continued)
- Re: Attacks against SSH? Jordan K Wiens (Dec 04)
- Re: Attacks against SSH? Dave Dittrich (Dec 04)
- Re: Attacks against SSH? Jason Baker (Dec 04)
- Re: Attacks against SSH? Michal Zalewski (Dec 04)
- Re: Attacks against SSH? Russell Fulton (Dec 04)
- Re: Attacks against SSH? Przemyslaw Frasunek (Dec 05)
- Re: Attacks against SSH? f.johan.beisser (Dec 04)
- SSH1 CRC32 Compensation Attacks Armando B. Ortiz (Dec 10)
- Re: SSH1 CRC32 Compensation Attacks Andreas Östling (Dec 10)
- Re: SSH1 CRC32 Compensation Attacks Armando Ortiz (Dec 10)
- Re: Attacks against SSH? Steven S (Dec 03)
- Re: Attacks against SSH? Adam Manock (Dec 04)
- Message not available
- Message not available
- Re: Attacks against SSH? johan . augustsson (Dec 06)
- Re: Attacks against SSH? David Chin (Dec 05)