LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Debian Woody ssh hack

[ILUG] Debian Woody ssh hack

Eoin Ryan eoin.ryan at ul.ie
Wed Aug 4 21:09:02 IST 2004 

The second box that was hacked was a gateway machine to a private
network and the *only* listening port was ssh!

When I saw the first machine initially, I was convinced it was a
apache/php problem... until I found the second machine was compromised.

On Wed, Aug 04, 2004 at 09:04:26PM +0100, Ken Gilmour wrote:
> On Wed, 4 Aug 2004 15:09:15 +0100, Eoin Ryan wrote:
> > Hi all,
> >
> > There appears to be a new exploit of sshd on Debian Woody.  Ssh
> > version:
> > SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
> >
> <snip>
> 
> Ok this is the conclusion i have come to on this problem. I cannot find
> any patches on that and none of my security team seem to know anything 
> about it which is quite unusual, it's also unusual for Debian to go that 
> long without issuing a patch.
> 
> A few months ago we discovered a root kit which looks similar to this... 
> same IRC bot etc. It was actually an apache vulnerability at the time 
> where the exploit was. You can find this by looking at your apache logs.
> 
> What could be done was that you could hit the apache vulnerability, 
> execute remote code and setup an ssh daemon on another port, that's when 
> you will see the failed ssh logins, almost the exact same deal.
> 
> If the daemon is stopped it will keep coming back. There was a process 
> running similar to kscand (similar, cant remember exact name). once that
> was stopped ssh stopped coming back.
> 
> So check your apache logs... if there is nothing unusual (god forbid) 
> then it may be a brand new vulnerability.
> 
> Thanks
> 
> Ken
> 
>

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell