Security Incidents mailing list archives
Re: Attacks against SSH?
From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert () uumail gov bc ca>
Date: Mon, 03 Dec 2001 13:10:27 -0800
Wu-ftpd raises a red flag, as it more likely to be the compromise vehicle than OpenSSH. I'm not ruling out OpenSSH, however without any proof, just conjecture based upon incomplete log information (we don't know if wu-ftpd was logging anything), we really don't know whether OpenSSH or wu-ftpd was the entry point. Additionally, I notice that the hostname is "ns". Could BIND be running on this system? Has BIND been ruled out as a point of compromise? I'm not saying that it's not OpenSSH. I'm pointing out that especially during compromise investigations we need to avoid jumping to conclusions. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert () osg gov bc ca Open Systems Group, ITSD Ministry of Management Services Province of BC In message <3C0B2A0F.944E79A3 () adm gu se>, johan.augustsson () adm gu se writes:
I stumbeled over this post at openssh-unix-dev mailinglist last week - http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2 The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for RedHat 7.0) up and running when he received what looks to be a CRC32-attack. A few minutes later you can see (he posted parts of the logfile) a new user being created with uid=0 and then how an connection is made from system in Israel. There has been no confirmation about what he writes but I recieved the following mail as an answer of my questions. ------ Message ------ I posted an openssh security alert earlier today and already got some responses. Thanks for everything. Instead of replying to everyone individually I composed the details of the attack. +++ It does not look like a job of worms. Snort did not detect mass port scan from attacker's ip address. It seems that he (I assumed, so I don't have to type he/she all the way) just wants to gain access through openssh. The server is running Red Hat 7.0. With all packages up to date. The following daemons are running: wu-ftpd, apache, telnet, openssh, named I never access the system via telnet, it is there just for backup purpose.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Attacks against SSH?, (continued)
- Re: Attacks against SSH? Jason Robertson (Dec 04)
- Re: Attacks against SSH? f.johan.beisser (Dec 04)
- SSH1 CRC32 Compensation Attacks Armando B. Ortiz (Dec 10)
- Re: SSH1 CRC32 Compensation Attacks Andreas Östling (Dec 10)
- Re: SSH1 CRC32 Compensation Attacks Armando Ortiz (Dec 10)
- Re: Attacks against SSH? Jason Robertson (Dec 04)
- Re: Attacks against SSH? Florian Weimer (Dec 04)
- Re: Attacks against SSH? Steven S (Dec 03)
- Re: Attacks against SSH? Adam Manock (Dec 04)
- Message not available
- Message not available
- Re: Attacks against SSH? johan . augustsson (Dec 06)
- Re: Attacks against SSH? David Chin (Dec 05)
- Re: Attacks against SSH? Skip Carter (Dec 05)
- Re: Attacks against SSH? Skip Carter (Dec 06)