[ale] ssh exploited?
Michael E. Barker
mbarker68 at home.com
Thu Feb 7 11:25:15 EST 2002
"James P. Kinney III" wrote:
>
> Check your version of ssh. Openssh v. 3.0+ is NOT vunerable to that
> overflow error.
>
> Also, verify that the interface it's coming in on is really what you
> think it is. Add a firewall rule to log incoming port 22 packets. You
> can set the log string to be what ever you want. So set one for external
> interface and one for internal interface.
>
> On Wed, 2002-02-06 at 22:30, John Wells wrote:
> > I was examining my snort log files on my firewall
> > tonight and found a ssh exploit notification (see end
> > of this message).
> >
> > The scary (odd) thing is, it seems to be coming from a
> > box on my internal lan (172.16.2.4) to my
> > gateway/firewall (172.16.2.1). Does this mean that my
> > internal box has been compromised? Or is this
> > something snort is picking up when I ssh from machine
> > to machine?
> >
> > Thanks for your input...
> >
> > John
> > ----------------------------------------
> >
> > [**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
> > [Classification: Executable code was detected]
> > [Priority: 1]
> > 01/27-20:02:27.610333 172.16.2.4:33834 ->
> > 172.16.2.1:22
> > TCP TTL:64 TOS:0x0 ID:44352 IpLen:20 DgmLen:684 DF
> > ***AP*** Seq: 0x3FFCB271 Ack: 0xE2D6D162 Win: 0x16D0
> > TcpLen: 32
> > TCP Options (3) => NOP NOP TS: 1580910 1633560
> > [Xref => http://www.securityfocus.com/bid/2347]
> > [Xref =>
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]
> >
> > [**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
> > lassification: Executable code was detected]
> > [Priority: 1]
> > 01/27-20:02:27.610333 172.16.2.4:33834 ->
> > 172.16.2.1:22
> > TCP TTL:64 TOS:0x0 ID:44352 IpLen:20 DgmLen:684 DF
> > ***AP*** Seq: 0x3FFCB271 Ack: 0xE2D6D162 Win: 0x16D0
> > TcpLen: 32
> > TCP Options (3) => NOP NOP TS: 1580910 1633560
> > [Xref => http://www.securityfocus.com/bid/2347]
> > [Xref =>
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]
> >
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Send FREE Valentine eCards with Yahoo! Greetings!
> > http://greetings.yahoo.com
> >
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> > sent to listmaster at ale dot org.
> >
> --
> James P. Kinney III \Changing the mobile computing world/
> President and COO \ one Linux user /
> Local Net Solutions,LLC \ at a time. /
> 770-493-8244 \.___________________________./
>
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
>
> ------------------------------------------------------------------------
> Name: signature.asc
> signature.asc Type: application/pgp-signature
> Description: This is a digitally signed message part
I have upgraded to sshV3+ via rpm -U but I get a message about mismatch
with openssl.:
OpenSSL version mismatch. Built against 90581f, you have 90602f
[FAILED]
I upgraded openssl to 0.9.6c but still get the same message when trying
to restart sshd.
I'm doing this remote on a machine that is 80miles from me and want to
be careful not to hose my connectivity.
Any suggestions?
--
-Michael
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list