Help... SSH CRC-32 compensation attack detector vulnerability

To: <debian-isp@lists.debian.org>
Subject: Help... SSH CRC-32 compensation attack detector vulnerability
From: "Jason Lim" <maillist@jasonlim.com>
Date: Mon, 3 Dec 2001 09:33:07 +1100
Message-id: <[🔎] 050401c17b81$5d66cb60$0400a8c0@zentek.net>
Reply-to: "Jason Lim" <maillist@jasonlim.com>

Hi,

sigh... yes... some of our servers have been hit with the "SSH CRC-32
compensation attack detector vulnerability" attack.

some servers have been compromised, and the usual rootkit stuff (install
root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.).

What is an easy way to locate binaries that are different from the ones
provided in the original debs?

And is there any other relatively easier way of cleaning up a system that
has had a rootkit installed?

We've done a netstat -a and removed/killed all strange processes, and
cleaned inetd.conf as much as we can, but some of the programs in
inetd.conf have themselves also been tampered with (eg. in.telnetd).

Please help... I have a bad feeling the crackers are coming back real soon
to really finish off the job... so any help at this time in removing all
their crap would be greatly appreciated.

Sincerely,
Jason

Reply to:

Follow-Ups:
- Re: Help... SSH CRC-32 compensation attack detector vulnerability
  - From: jake@lucidpark.net (Jacob Kuntz)
- Re: Help... SSH CRC-32 compensation attack detector vulnerability
  - From: Keith Elder <keith@zorka.com>
- Re: Help... SSH CRC-32 compensation attack detector vulnerability
  - From: tps@unslept.com
- Re: Help... SSH CRC-32 compensation attack detector vulnerability
  - From: Alejandro Borges <alex@sogrp.com>

Prev by Date: Re: sf-debian
Next by Date: Re: Help... SSH CRC-32 compensation attack detector vulnerability
Previous by thread: Re: migration from FreeBSD 4.4 to Debian 2.2r4
Next by thread: Re: Help... SSH CRC-32 compensation attack detector vulnerability
Index(es):
- Date
- Thread