Re: Anyone Else Getting Hits Like This ?

Subject: Re: Anyone Else Getting Hits Like This ?
From: James Zuelow (e5z8652@zuelow.net)
Date: Sat Mar 02 2002 - 09:40:59 AKST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: endy-gamboa@dcs.alaska.com: "Instructors"
• Previous message: Adam Elkins: "Fix8"
• In reply to: FeLoNiouS MoNK: "Re: Anyone Else Getting Hits Like This ?"
• Reply: James Zuelow: "Re: Anyone Else Getting Hits Like This ?"
• Reply: James Zuelow: "Re: Anyone Else Getting Hits Like This ?"

> -oh and btw, im supposed to be getting briefed this weekend on some new
> exploits out there that havnt gone mainstream yet... if i find the time to
> hook up wit the guys .. i will pass the info on to this lug..
> ---First rule of AKLuG, what i say in the lug..stays in the lug!--- ps -aux
> | grep FeLoN_MoNK > crazy.txt

Well, the lug and whichever search engine runs through the archives. ;)

There's a rumored OpenSSH/SSH version 2 exploit that is being discussed on
other lists. On the SuSE-Security list someone claimed to have a working
root exploit for OpenSSH version 3.x, however I haven't seen anything on
the OpenSSH site yet. If true, bad news for the OpenBSD team as they have
to reset their "no remote root exploits in the default install" counter
which is at four years now. There's some question about whether or not it
is really the SSH1 vulnerability, or if it only affects commercial SSH and
not OpenSSH. For those of you who keep an SSH port open on your systems,
interesting reading:

SecurityFocus:
<LINK MAY WRAP>
http://online.securityfocus.com/cgi-bin/archive.pl?id=82&start=2002-02-27&end=2002-03-05&threads=1&tid=258238
</LINK>

SuSE-Security:
<LINK MAY WRAP>
http://lists2.suse.com/archive/suse-security/2002-Feb/0601.html
</LINK>

Since SuSE-Security doesn't have a single thread view, I chose the message
that claims responsibility - you should be able to navigate from there to
read the whole thing.

I block port 22 at my firewall, and I have noticed port 22 probes
returning to my firewall logs recently - but no way to tell if that is
just the old SSH1 exploit or the new one.

And finally, for the Debian users out there - get the SSH .deb from Woody.
It lets you run an SSH2 only shop, as opposed from the SSH .deb from
Potato, which uses SSH1. Convenient if your firewall doesn't have a
compiler installed.

Cheers,

James

• Next message: endy-gamboa@dcs.alaska.com: "Instructors"
• Previous message: Adam Elkins: "Fix8"
• In reply to: FeLoNiouS MoNK: "Re: Anyone Else Getting Hits Like This ?"
• Reply: James Zuelow: "Re: Anyone Else Getting Hits Like This ?"
• Reply: James Zuelow: "Re: Anyone Else Getting Hits Like This ?"

This archive was generated by hypermail 2a23 : Sat Mar 02 2002 - 09:46:37 AKST