On Wed, 4 Aug 2004 15:09:15 +0100, Eoin Ryan wrote:
> Hi all,
>> There appears to be a new exploit of sshd on Debian Woody. Ssh
> version:
> SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
><snip>
Ok this is the conclusion i have come to on this problem. I cannot find
any patches on that and none of my security team seem to know anything
about it which is quite unusual, it's also unusual for Debian to go that
long without issuing a patch.
A few months ago we discovered a root kit which looks similar to this...
same IRC bot etc. It was actually an apache vulnerability at the time
where the exploit was. You can find this by looking at your apache logs.
What could be done was that you could hit the apache vulnerability,
execute remote code and setup an ssh daemon on another port, that's when
you will see the failed ssh logins, almost the exact same deal.
If the daemon is stopped it will keep coming back. There was a process
running similar to kscand (similar, cant remember exact name). once that
was stopped ssh stopped coming back.
So check your apache logs... if there is nothing unusual (god forbid)
then it may be a brand new vulnerability.
Thanks
Ken
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
