Security Incidents mailing list archives
Re: SSH2 Exploit?
From: trott () SLOWPOISONERS COM (Richard Trott)
Date: Thu, 10 Feb 2000 16:08:58 -0800
We recently had one of our remote logging servers compromised. It was totally locked down running only ssh2; all inet processes were turned off. Unfortunately, they obliterated the disk so we were not able to get any information about how they exploited our machine, however since the only point of entry was SSH2, I'm very concerned about a possibly vulnerability in the code. What is the general consensus of the 'most secure' version of ssh? 1.2.27?
Don't know what the consensus is on the most secure version of ssh. Speaking personally, I run OpenSSH at home and 1.2.27 at work--beware the RSAREF bug. To my knowledge, there are no known exploits in either of those (barring the RSAREF thing which you can patch for or, license permitting, simply compile without RSAREF) or in the latest SSH 2. But more to the point, if I were in your shoes, I'd seriously investigate the possibility that you were compromised by some other means. If the below suggests seem rather basic, and thus insulting to your professional competence, I apologize. I'm just tryin' to help... 1) Were you really running nothing other than ssh? I mean, OK, inetd was not running. What about DNS? SMTP? etc. 2) If you really *weren't* running anything else, then I can only imagine you running a box with *nothing* but ssh as a server that a fairly large number of people people from all over could log into. I may be wrong, of course, but if not...is it possible one or more of them shared their account with the wrong people? Or that one or more of them did some sort of local exploit? 3) Was the box physically secure? Is it possible that someone had access to the room with the box in it and was able to (for example) boot it from a CD? 4) Were there any guest type accounts or is it possible that there was an account with an easily guessed password? 5) You say they obliterated the disk...are you sure it was a break-in, then, and not some sort of disk failure or some root-owned local process gone amok due to a bug rather than cracking? How do you back up the machine? Is it possible that the backup process trashed the disk? Someone busting in through SSH2 seems pretty unlikely...certainly possible, of course, and worthy of consideration...but I'd look at the above stuff first... Rich
Current thread:
- Re: E-Mail relay or break in?, (continued)
- Re: E-Mail relay or break in? Ryan Russell (Feb 09)
- Recent DDoS Bino Gopal (Feb 08)
- Re: Recent DDoS Qmail Admin (Feb 09)
- Port 34545 jimwebb () EASYSTREET COM (Feb 09)
- Re: Recent DDoS MMS26 (Feb 09)
- Re: Recent DDoS Vanja Hrustic (Feb 09)
- Re: Recent DDoS (was Ping flood? Whats the point?) Kerry Baker (Feb 09)
- Re: Recent DDoS (was Ping flood? Whats the point?) Eivind Eklund (Feb 11)
- SSH2 Exploit? Jonathan A. Zdziarski (Feb 09)
- Re: SSH2 Exploit? Alexander Kiwerski (Feb 10)
- Re: SSH2 Exploit? Richard Trott (Feb 10)
- Re: SSH2 Exploit? Thiago/c0nd0r (Feb 11)
- Re: SSH2 Exploit? Jonathan A. Zdziarski (Feb 11)
- Re: SSH2 Exploit? Thiago/c0nd0r (Feb 11)
- Re: SSH2 Exploit? Mike Tancsa (Feb 15)
- Re: SSH2 Exploit? //Stany (Feb 16)
- Re: SSH2 Exploit? sysadmin (Feb 16)
- AdForce hitting odd ports Rick Tortorella (Feb 11)
- UDP to 161 CL: Nelson, Jeff (Feb 10)
- Re: UDP to 161 Pavel Kankovsky (Feb 15)
- Re: UDP to 161 Ryan Russell (Feb 15)