Security Incidents mailing list archives

Re: Attacks against SSH?

From: johan.augustsson () adm gu se
Date: Thu, 06 Dec 2001 08:01:04 +0100


Has anyone seen anything from this guy?
It would be interesting to know what version of BIND and SSH he was
running and if the logs showed anything at all.

If he was running the latest versions of BIND and OpenSSH that RedHat
has RPMs for and still got compromised I would like to know how that
happened.

--------------------------------------------------------------------
Johan Augustsson                 Phone: +46 (0)31 773 1000
Incident Response Team           Fax: +46 (0)31 773 1087
Göteborg University              E-mail: Johan.Augustsson () adm gu se
Sweden
--------------------------------------------------------------------


Renee Teunissen wrote:

I was running http/https (apache), smtp (postfix) and named. All with the
lastest versions. I saw several things in the logs which gave me the
impression it was sshd. I will send this to the list as soon as I'm home.

Renee.
----- Original Message -----
From: <johan.augustsson () adm gu se>
To: "Renee Teunissen" <renee () wittenburg10c nl>
Sent: Tuesday, December 04, 2001 8:32 AM
Subject: Re: Attacks against SSH?

Renee Teunissen wrote:


The same seemed to happened to me last weekend, and am still

investigating

what went wrong. I thought, sinds I forgot do disable SSH-1, that this

was

the reason. Is it or not?

I'm running redhat 7.0 will all the lastest security fixes, could not

find

anything on securityfocus nor packetstorm about this ssh-problem, and I
fooled or what?



What services where running at the time of the intrusion?
What versions? Did you restart sshd after upggrading it?

The following will tell you version and protocol of sshd
% telnet 192.168.1.2 22
Trying 192.168.1.2...
Connected to 192.168.1.2
Escape character is '^]'.
SSH-2.0-OpenSSH_3.0.2p1


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Attacks against SSH?, (continued)
- - - Re: Attacks against SSH? f.johan.beisser (Dec 04)
    - SSH1 CRC32 Compensation Attacks Armando B. Ortiz (Dec 10)
    - Re: SSH1 CRC32 Compensation Attacks Andreas Östling (Dec 10)
    - Re: SSH1 CRC32 Compensation Attacks Armando Ortiz (Dec 10)
  - Re: Attacks against SSH? Florian Weimer (Dec 04)
- Re: Attacks against SSH? Armando B. Ortiz (Dec 03)
  - Re: Attacks against SSH? Steven S (Dec 03)
  - Re: Attacks against SSH? Adam Manock (Dec 04)
- Re: Attacks against SSH? Andreas Wiesmann (Dec 03)
- Re: Attacks against SSH? Cy Schubert - ITSD Open Systems Group (Dec 03)
- Message not available
  - Message not available
    - Message not available
    - Re: Attacks against SSH? johan . augustsson (Dec 06)
- RE: Attacks against SSH? CHURCH,GENO (Non-HP-USA,ex1) (Dec 04)
- Re: Attacks against SSH? Russell Fulton (Dec 05)
  - Re: Attacks against SSH? David Chin (Dec 05)
  - Re: Attacks against SSH? Skip Carter (Dec 05)
    - Re: Attacks against SSH? Skip Carter (Dec 06)