[ale] ssh exploited?

James P. Kinney III jkinney at localnetsolutions.com
Wed Feb 6 22:42:23 EST 2002 

Check your version of ssh. Openssh v. 3.0+ is NOT vunerable to that
overflow error. 

Also, verify that the interface it's coming in on is really what you
think it is. Add a firewall rule to log incoming port 22 packets. You
can set the log string to be what ever you want. So set one for external
interface and one for internal interface.

On Wed, 2002-02-06 at 22:30, John Wells wrote:
> I was examining my snort log files on my firewall
> tonight and found a ssh exploit notification (see end
> of this message).
> 
> The scary (odd) thing is, it seems to be coming from a
> box on my internal lan (172.16.2.4) to my
> gateway/firewall (172.16.2.1).  Does this mean that my
> internal box has been compromised?  Or is this
> something snort is picking up when I ssh from machine
> to machine?
> 
> Thanks for your input...
> 
> John
> ----------------------------------------
> 
> [**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
> [Classification: Executable code was detected]
> [Priority: 1]
> 01/27-20:02:27.610333 172.16.2.4:33834 ->
> 172.16.2.1:22
> TCP TTL:64 TOS:0x0 ID:44352 IpLen:20 DgmLen:684 DF
> ***AP*** Seq: 0x3FFCB271  Ack: 0xE2D6D162  Win: 0x16D0
>  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 1580910 1633560
> [Xref => http://www.securityfocus.com/bid/2347]
> [Xref =>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]
> 
> [**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
> lassification: Executable code was detected]
> [Priority: 1]
> 01/27-20:02:27.610333 172.16.2.4:33834 ->
> 172.16.2.1:22
> TCP TTL:64 TOS:0x0 ID:44352 IpLen:20 DgmLen:684 DF
> ***AP*** Seq: 0x3FFCB271  Ack: 0xE2D6D162  Win: 0x16D0
>  TcpLen: 32
> TCP Options (3) => NOP NOP TS: 1580910 1633560
> [Xref => http://www.securityfocus.com/bid/2347]
> [Xref =>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]
> 
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Send FREE Valentine eCards with Yahoo! Greetings!
> http://greetings.yahoo.com
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
-- 
James P. Kinney III   \Changing the mobile computing world/
President and COO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part

More information about the Ale mailing list