Security Incidents mailing list archives
Re: SSH1 CRC32 Compensation Attacks
From: Andreas Östling <andreaso () it su se>
Date: Mon, 10 Dec 2001 19:38:13 +0100 (CET)
On 9 Dec 2001, Armando B. Ortiz wrote:
The attacks apparently took down two of our servers in a 4-server webfarm. They apparently leave the typical root kits and compromised/trojaned binaries. Unfortunately, I can't recover the other boxes and have to rebuild them. The intruder left compromised files relating to the operation of SSH as well as a trojaned SSH daemon. =:(
Do you know what kind of trojaned sshd it was and any of its features? Was it by any chance "Root Kit SSH 6.0 by timecop"? (http://openbsd.org.br/ouah/progs/rkssh6.tar.gz) I've seen this kit being installed after other intrusions via the CRC-32 compensation attack detector vulnerability. /Andreas ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Attacks against SSH?, (continued)
- Re: Attacks against SSH? johan . augustsson (Dec 04)
- Re: Attacks against SSH? Jordan K Wiens (Dec 04)
- Re: Attacks against SSH? Dave Dittrich (Dec 04)
- Re: Attacks against SSH? Jason Baker (Dec 04)
- Re: Attacks against SSH? Michal Zalewski (Dec 04)
- Re: Attacks against SSH? Russell Fulton (Dec 04)
- Re: Attacks against SSH? Przemyslaw Frasunek (Dec 05)
- Re: Attacks against SSH? johan . augustsson (Dec 04)
- Re: Attacks against SSH? f.johan.beisser (Dec 04)
- SSH1 CRC32 Compensation Attacks Armando B. Ortiz (Dec 10)
- Re: SSH1 CRC32 Compensation Attacks Andreas Östling (Dec 10)
- Re: SSH1 CRC32 Compensation Attacks Armando Ortiz (Dec 10)
- Re: Attacks against SSH? Steven S (Dec 03)
- Re: Attacks against SSH? Adam Manock (Dec 04)
- Message not available
- Message not available
- Re: Attacks against SSH? johan . augustsson (Dec 06)