Re: ssh exploit

[Lee Evans <lee () leeevans org>]

Sorry - the version of ssh I was running was openssh-2.9p2-8.7.

The relevant files available here:
http://www.leeevans.org/downloads/sshr.tgz

I may have to retract my earlier statement that it opened TCP port 1503 - im 
not so sure on that now.

Thanks
Lee
-- 
Lee Evans
http://www.leeevans.org


On Thursday 14 Mar 2002 21:42 pm, you wrote:
> Lee,
>
> Where can I grab a copy of that new sshd that you've obtained.
>
> Thanks,
>
> W
>
> Any chance to give details on running sshd version  and possibly examine
> the contents?
>
> Lee Evans <lee () leeevans org> spoke:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > HI - is anyone aware of any open-ssh exploits doing the rounds currently?
> > I'm running a fairly up to date version of openssh, although it probably
> > is vulnerable to this:
> >
> > http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=exploit&id=
> > 4241
> >
> > A couple of boxes I look after seem to have been exploited in some
> > manner, and this is the only vulnerability I can find that they could be
> > potentially susceptible to - however, this looks to be a local-only
> > exploit. I was made aware of the problem by tripwire this morning, in
> > that it notified me of a change to /usr/sbin/sshd.
> >
> > The ssh daemons on the box were removed, and a bunch of new stuff was
> > installed - ./usr/local/sbin/sshd (a link to:)  /usr/local/sbin/sshd2 and
> > /usr/local/sbin/sshd-check-config. /usr/sbin/sshd (the original location)
> > was then changed to a symbolic link to the newly installed
> > /usr/local/sbin/sshd2. The new daemon no longer logs through syslog, and
> > appears to open another TCP port (1503). I'm still trying to work out
> > exactly what's happened, though, so thats about all the informaton I have
> > for the moment. I have copies of the seemingly trojaned binaries, if
> > anybody wants them.
> >
> > Any information anyone can give me will be greatfully received. If i've
> > missed some important info, please say so...
> >
> > Regards
> > - --
> > Lee Evans
> > http://www.leeevans.org
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.0.6 (GNU/Linux)
> > Comment: For info see http://www.gnupg.org
> >
> > iD8DBQE8kPYwhtUFQXeFbZYRAgysAKClfSsCwW2UhNt4Am+pN/bte7fNrwCdF528
> > ZhdNXljJ7TV3yIlXvgv8PzI=
> > =KG2T
> > -----END PGP SIGNATURE-----
> >
> >
> > -------------------------------------------------------------------------
> > --- This list is provided by the SecurityFocus ARIS analyzer service. For
> > more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com