Re: SSH exploit

[vision () WHITEHATS COM (Max Vision)]

On Wed, 24 Nov 1999, El Nahual wrote:
> Eerrrmmmm being fast here there is already an exploit going on there,
> s0d's server got hit by it, we are still examing the logs and look very
> very promissing on discovering what is going on (looks like remote root is
> posible)
It is extremely unlikely that you were actually compromised by an exploit
in the ssh protocol itself.  Especially since you offer shells.  Very
often users who typically encrypt their sessions will do revealing things
such as:
 1. using a plaintext protocol to the same site, where authentication
    is in the clear, such as FTP, POP3, IMAP, etc.  Then it gets sniffed
    and an attacker can ssh right in (this is most likely what happened
    at Rootshell, and other sites)  Most people fail to set up RSA
 2. using the same password at other sites/services as they do for their
    shell access at your site

or possibly a compromise via another channel that was made to look like an
SSH compromise.  I would love to see the logs.

> If anyone is interested email me because I don't think everyone wants to
> recieve the entire log (wich is quite large!)
What sort of log do you have?  If you have packet trace data like
snort/dragon/tcpdump then you could probably do some reasonable forensic,
otherwise...

Max