two potentially troubling posts to full-disclosure

Zube Zube at CS.ColoState.EDU
Tue Sep 16 11:08:23 EST 2003


I haven't seen anything about this here and thought I should pass it along.
christopher neitzert <chris at neitzert.com> made two postings to the 
full-disclosure list earlier today.  They stated, in part:

*****
Does anyone know of or have source related to a new, and unpublished ssh
exploit?  An ISP I work with has filtered all SSH connections due to
several root level incidents involving ssh. Any information is
appreciated.
*****

and later:

*****
More on this;

The systems in question are FreeBSD, RedHat, Gentoo, and Debian all
running the latest versions of OpenSSH.

The attack makes an enormous amount of ssh connections and attempts
various offsets until it finds one that works permitting root login.

I have received numerous messages from folks requesting anonymity or
direct-off-list-reply confirming this exploit;
*****

Later, Justin Kreger <jkreger at lwolenczak.net> reported that he had heard
that privsec had been enabled on the compromised machines.

I am aware that much of this is hearsay, but sometimes smoke -> fire. 
Anyone have any further information?

Cheers,
Zube  




More information about the openssh-unix-dev mailing list