openssh 2.9p2 release 8.7 security alert!!!
Kent Engström
kent at unit.liu.se
Fri Nov 30 22:56:29 EST 2001
Pin Lu <pin at stredo.com> writes:
> Hi, everyone:
>
> My system was compromised a few days ago.
> The cracker attacked the system through openssh 2.9p2 release 8.7.
> I attached part of the log file.
It would be very nice (though it would of course be even nicer to find
out that it wasn't) to be more sure that 2.9p2 was actually up and
running on port 22 of the computer in question. I have personally
told people to upgrade, received "OK, done." and then still found
them running the old version, because the SSH server was not restarted
at upgrade time.
Unfortunately, that information is not available in the log below.
Perhaps version information could be included in some periodical
messages (such as "Generating new 768 bit RSA key.") or in
"security alert messages" such as "...crc32 compensation attack..."
>
>
> Thanks.
>
> Pin Lu (pin at stredo.com)
>
>
> Nov 25 11:33:05 ns sshd[10627]: Disconnecting: Corrupted check bytes on
> input.
> Nov 25 11:33:36 ns named[10478]: Lame server on '55.254.58.211.in-addr.arpa'
> (in '254.58.211.in-addr.arpa'?): [210.180.98.69].53 'ns2.hananet.net'
> Nov 25 11:33:36 ns named[10478]: Lame server on '55.254.58.211.in-addr.arpa'
> (in '254.58.211.in-addr.arpa'?): [210.94.0.7].53 'ns.hananet.net'
> Nov 25 11:33:36 ns named[10478]: ns_forw: query(55.254.58.211.in-addr.arpa)
> All possible A RR's lame
> Nov 25 11:33:45 ns sshd[10689]: Disconnecting: crc32 compensation attack:
> network attack detected
[...]
--
Kent Engström, Linköping University Incident Response Team
kent at unit.liu.se abuse at liu.se
+46 13 28 1744
UNIT, Linköping University; SE-581 83 LINKÖPING; SWEDEN
More information about the openssh-unix-dev
mailing list