Vulnerability Development mailing list archives
Re: SSH exploit
From: vision () WHITEHATS COM (Max Vision)
Date: Wed, 24 Nov 1999 18:27:18 -0800
On Wed, 24 Nov 1999, El Nahual wrote:
Eerrrmmmm being fast here there is already an exploit going on there, s0d's server got hit by it, we are still examing the logs and look very very promissing on discovering what is going on (looks like remote root is posible)
It is extremely unlikely that you were actually compromised by an exploit in the ssh protocol itself. Especially since you offer shells. Very often users who typically encrypt their sessions will do revealing things such as: 1. using a plaintext protocol to the same site, where authentication is in the clear, such as FTP, POP3, IMAP, etc. Then it gets sniffed and an attacker can ssh right in (this is most likely what happened at Rootshell, and other sites) Most people fail to set up RSA 2. using the same password at other sites/services as they do for their shell access at your site or possibly a compromise via another channel that was made to look like an SSH compromise. I would love to see the logs.
If anyone is interested email me because I don't think everyone wants to recieve the entire log (wich is quite large!)
What sort of log do you have? If you have packet trace data like snort/dragon/tcpdump then you could probably do some reasonable forensic, otherwise... Max
Current thread:
- Re: SSH exploit Gerardo Richarte (Nov 24)
- Re: SSH exploit El Nahual (Nov 24)
- Re: SSH exploit Max Vision (Nov 24)
- <Possible follow-ups>
- Re: SSH exploit Gerardo Richarte (Nov 24)
- Re: SSH exploit El Nahual (Nov 24)