Re: Help... SSH CRC-32 compensation attack detector vulnerability
The patch is to use the "ssh" package in unstable... and I think in the
security-updates.
We were using ssh-nonfree and that is vunerable. I think they released a
patch and the debs have since been updated, but I'd be wary of staying
with ssh-nonfree now that a hole is right there.
Damn... now the messy clean up process left after numerous rootkits have
been installed. We're just trying to cp -a all the files from our backups
into their right places. That should solve things.
If anyone has better ideas, please let me know.
Sincerely,
Jason
----- Original Message -----
From: "Keith Elder" <keith@zorka.com>
To: "Jason Lim" <maillist@jasonlim.com>
Cc: <debian-isp@lists.debian.org>
Sent: Monday, December 03, 2001 1:11 PM
Subject: Re: Help... SSH CRC-32 compensation attack detector vulnerability
> What is the patch to plug this hole?
>
> K.
>
> * Jason Lim (maillist@jasonlim.com) wrote:
> > Reply-To: "Jason Lim" <maillist@jasonlim.com>
> > From: "Jason Lim" <maillist@jasonlim.com>
> > To: <debian-isp@lists.debian.org>
> > Subject: Help... SSH CRC-32 compensation attack detector vulnerability
> > Date: Mon, 3 Dec 2001 09:33:07 +1100
> > X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> >
> > Hi,
> >
> > sigh... yes... some of our servers have been hit with the "SSH CRC-32
> > compensation attack detector vulnerability" attack.
> >
> > some servers have been compromised, and the usual rootkit stuff
(install
> > root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.).
> >
> > What is an easy way to locate binaries that are different from the
ones
> > provided in the original debs?
> >
> > And is there any other relatively easier way of cleaning up a system
that
> > has had a rootkit installed?
> >
> > We've done a netstat -a and removed/killed all strange processes, and
> > cleaned inetd.conf as much as we can, but some of the programs in
> > inetd.conf have themselves also been tampered with (eg. in.telnetd).
> >
> > Please help... I have a bad feeling the crackers are coming back real
soon
> > to really finish off the job... so any help at this time in removing
all
> > their crap would be greatly appreciated.
> >
> > Sincerely,
> > Jason
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
> #######################################################
> Keith Elder
> Email: keith@zorka.com
> Phone: 1-734-507-1438
> Text Messaging (145 characters): mobile@zorka.com
> Web: http://www.zorka.com (Howto's, News, and hosting!)
>
> "With enough memory and hard drive space
> anything in life is psosible!"
> #######################################################
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
Reply to: