Correction: 0day exploit for OpenSSH is a trojan

[Doug Pearson <dodpears () INDIANA EDU>]

The NetFlow data seen was from commercial Internet traffic at a GigaPoP, not Abilene NetFlow.
-dp


> Based on reports received by the REN-ISAC:
>
> The 0day exploit, purported to be an exploit of the OpenSSH vulnerability (CA-2003-24)[1], rather than compromising a 
> remote OpenSSH system, actually is a trojan that compromises the system running the code. The trojan gathers data from 
> the local system including password, shadow password, known hosts, and network configuration files, and e-mails the 
> data to a remote system. Abilene NetFlow data shows a small amount of activity related to this trojan.
>
> 0day requires root authority, therefore, properly managed central servers should not be at risk.
>
> More details will be sent as they become available.
>
> [1] CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH
> http://www.cert.org/advisories/CA-2003-24.html
>
>
> Regards,
>
> Doug Pearson
> REN-ISAC Director
> ren-isac () iu edu
> http://www.ren-isac.net

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.