ssh exploit

[Lee Evans <lee () leeevans org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

HI - is anyone aware of any open-ssh exploits doing the rounds currently? I'm 
running a fairly up to date version of openssh, although it probably is 
vulnerable to this:

http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=exploit&id=4241

A couple of boxes I look after seem to have been exploited in some manner, and 
this is the only vulnerability I can find that they could be potentially 
susceptible to - however, this looks to be a local-only exploit. I was made 
aware of the problem by tripwire this morning, in that it notified me of a 
change to /usr/sbin/sshd.

The ssh daemons on the box were removed, and a bunch of new stuff was 
installed - ./usr/local/sbin/sshd (a link to:)  /usr/local/sbin/sshd2 and 
/usr/local/sbin/sshd-check-config. /usr/sbin/sshd (the original location) was 
then changed to a symbolic link to the newly installed /usr/local/sbin/sshd2. 
The new daemon no longer logs through syslog, and appears to open another TCP 
port (1503). I'm still trying to work out exactly what's happened, though, so 
thats about all the informaton I have for the moment. I have copies of the 
seemingly trojaned binaries, if anybody wants them.

Any information anyone can give me will be greatfully received. If i've missed 
some important info, please say so...

Regards
- -- 
Lee Evans
http://www.leeevans.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8kPYwhtUFQXeFbZYRAgysAKClfSsCwW2UhNt4Am+pN/bte7fNrwCdF528
ZhdNXljJ7TV3yIlXvgv8PzI=
=KG2T
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com