Re: Voluminous SSHd scanning; possible worm activity?

[Florian Weimer <Florian.Weimer () RUS Uni-Stuttgart DE>]

"Schroeder, Eric" <Eric.Schroeder () westgroup com> writes:

> > On Mon, 10 Dec 2001, Schroeder, Eric wrote:
> >
> > > There was a recent vulnerability discovered in RedHat's OpenSSH. I
> > > have included the RH notice on the fix.
> >
> >      Thanks...but, um...I'm running Solaris 7.  So far, none of my
> > boxen seem to have been successfully penetrated; just scanned until they
> > squeal.

> True, but the people scanning don't know what OS you are running until they
> scan you.  I'll also be willing to bet that most of them are automated,
> which won't take into account different OS's.

For what it's worth, the bug is present in Solaris, too (unless
/bin/login is linked statically and cannot be affect by environment
variables in any way, that is).

However, this is not a remote problem per se, it's impact is the
possibility of a local root compromise, so I wouldn't scan to exploit
this vulnerability.

Maybe we're seeing some psychological effect here: In the past, people
tend to believe that SSH implementations were secure, apart from a few
rather esoteric defects without much practical relevance.  Now we've
been shown that this isn't true, and people start to fill their
databases with mappings between IP addresses and SSH implementation
identification strings.

BTW, are there any free SSH implementations apart from the OpenBSD
one?

-- 
Florian Weimer                    Florian.Weimer () RUS Uni-Stuttgart DE
University of Stuttgart           http://cert.uni-stuttgart.de/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com