[ale] ssh exploited?

James P. Kinney III jkinney at localnetsolutions.com
Thu Feb 7 13:02:32 EST 2002


Openssl is used as a static/dynamic crypto library. You will need to
install the latest openssl. 

With the crypto stuff, I have had _much_ better success compiling from
the src.rpm. Unless you are using a stock RedHat system, it will avoind
library mismatches. If you are using a stock RedHat system, get the
upgrades from RedHat. They are all built for their distributions. 

If you need to compile from src.rpm, dig through the openssh.spec file.
Find the line :
# Options for static OpenSSL link:
# rpm -ba|--rebuild --define "static_openssl 1"
%{?static_openssl:%define static_libcrypto 1}

This will compile the openssl libs statically into the openssh binaries.
It will become more portable. It will also become somewhat larger, but
not that much.

If you want it to use the dynamic openssl, change the "1" to a "0":
%{?static_openssl:%define static_libcrypto 0}

On Thu, 2002-02-07 at 11:25, Michael E. Barker wrote:
> "James P. Kinney III" wrote:
> > 
> > Check your version of ssh. Openssh v. 3.0+ is NOT vunerable to that
> > overflow error.
> > 
> > Also, verify that the interface it's coming in on is really what you
> > think it is. Add a firewall rule to log incoming port 22 packets. You
> > can set the log string to be what ever you want. So set one for external
> > interface and one for internal interface.
> > 
> > On Wed, 2002-02-06 at 22:30, John Wells wrote:
> > > I was examining my snort log files on my firewall
> > > tonight and found a ssh exploit notification (see end
> > > of this message).
> > >
> > > The scary (odd) thing is, it seems to be coming from a
> > > box on my internal lan (172.16.2.4) to my
> > > gateway/firewall (172.16.2.1).  Does this mean that my
> > > internal box has been compromised?  Or is this
> > > something snort is picking up when I ssh from machine
> > > to machine?
> > >
> > > Thanks for your input...
> > >
> > > John
> > > ----------------------------------------
> > >
> > > [**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
> > > [Classification: Executable code was detected]
> > > [Priority: 1]
> > > 01/27-20:02:27.610333 172.16.2.4:33834 ->
> > > 172.16.2.1:22
> > > TCP TTL:64 TOS:0x0 ID:44352 IpLen:20 DgmLen:684 DF
> > > ***AP*** Seq: 0x3FFCB271  Ack: 0xE2D6D162  Win: 0x16D0
> > >  TcpLen: 32
> > > TCP Options (3) => NOP NOP TS: 1580910 1633560
> > > [Xref => http://www.securityfocus.com/bid/2347]
> > > [Xref =>
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]
> > >
> > > [**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
> > > lassification: Executable code was detected]
> > > [Priority: 1]
> > > 01/27-20:02:27.610333 172.16.2.4:33834 ->
> > > 172.16.2.1:22
> > > TCP TTL:64 TOS:0x0 ID:44352 IpLen:20 DgmLen:684 DF
> > > ***AP*** Seq: 0x3FFCB271  Ack: 0xE2D6D162  Win: 0x16D0
> > >  TcpLen: 32
> > > TCP Options (3) => NOP NOP TS: 1580910 1633560
> > > [Xref => http://www.securityfocus.com/bid/2347]
> > > [Xref =>
> > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]
> > >
> > >
> > >
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Send FREE Valentine eCards with Yahoo! Greetings!
> > > http://greetings.yahoo.com
> > >
> > > ---
> > > This message has been sent through the ALE general discussion list.
> > > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> > > sent to listmaster at ale dot org.
> > >
> > --
> > James P. Kinney III   \Changing the mobile computing world/
> > President and COO      \          one Linux user         /
> > Local Net Solutions,LLC \           at a time.          /
> > 770-493-8244             \.___________________________./
> > 
> > GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> > <jkinney at localnetsolutions.com>
> > Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
> > 
> >   ------------------------------------------------------------------------
> >                        Name: signature.asc
> >    signature.asc       Type: application/pgp-signature
> >                 Description: This is a digitally signed message part
> 
> I have upgraded to sshV3+ via rpm -U but I get a message about mismatch
> with openssl.:
> 
> OpenSSL version mismatch. Built against 90581f, you have 90602f
> [FAILED]
> 
> I upgraded openssl to 0.9.6c but still get the same message when trying
> to restart sshd.
> 
> I'm doing this remote on a machine that is 80miles from me and want to
> be careful not to hose my connectivity.
> 
> Any suggestions?
> -- 
> -Michael
> 
> ---
> This message has been sent through the ALE general discussion list.
> See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
> sent to listmaster at ale dot org.
> 
-- 
James P. Kinney III   \Changing the mobile computing world/
President and COO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7 



 This is a digitally signed message part




More information about the Ale mailing list