Security Incidents mailing list archives
Re: Voluminous SSHd scanning; possible worm activity?
From: Florian Weimer <Florian.Weimer () RUS Uni-Stuttgart DE>
Date: 10 Dec 2001 23:44:57 +0100
"Schroeder, Eric" <Eric.Schroeder () westgroup com> writes:
On Mon, 10 Dec 2001, Schroeder, Eric wrote:There was a recent vulnerability discovered in RedHat's OpenSSH. I have included the RH notice on the fix.Thanks...but, um...I'm running Solaris 7. So far, none of my boxen seem to have been successfully penetrated; just scanned until they squeal.
True, but the people scanning don't know what OS you are running until they scan you. I'll also be willing to bet that most of them are automated, which won't take into account different OS's.
For what it's worth, the bug is present in Solaris, too (unless /bin/login is linked statically and cannot be affect by environment variables in any way, that is). However, this is not a remote problem per se, it's impact is the possibility of a local root compromise, so I wouldn't scan to exploit this vulnerability. Maybe we're seeing some psychological effect here: In the past, people tend to believe that SSH implementations were secure, apart from a few rather esoteric defects without much practical relevance. Now we've been shown that this isn't true, and people start to fill their databases with mappings between IP addresses and SSH implementation identification strings. BTW, are there any free SSH implementations apart from the OpenBSD one? -- Florian Weimer Florian.Weimer () RUS Uni-Stuttgart DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Voluminous SSHd scanning; possible worm activity?, (continued)
- Re: Voluminous SSHd scanning; possible worm activity? Russell Fulton (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Jacek Lipkowski (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Glenn Forbes Fleming Larratt (Dec 16)
- Re: Voluminous SSHd scanning; possible worm activity? Clarissa Cook (Dec 17)
- Re: Voluminous SSHd scanning; possible worm activity? Neil Dickey (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Schroeder, Eric (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Florian Weimer (Dec 10)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 11)
- RE: Voluminous SSHd scanning; possible worm activity? Damien Miller (Dec 11)
- RE: Voluminous SSHd scanning; possible worm activity? Jay D. Dyson (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Bertrand Lupart (Dec 12)
- Re: Voluminous SSHd scanning; possible worm activity? Jonathan Bloomquist (Dec 13)
- RE: Voluminous SSHd scanning; possible worm activity? jon schatz (Dec 11)
- Re: Voluminous SSHd scanning; possible worm activity? Markus Friedl (Dec 12)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 12)
- RE: Voluminous SSHd scanning; possible worm activity? Gommers, Joep (Dec 12)