Re: Help... SSH CRC-32 compensation attack detector vulnerability

To: "Keith Elder" <keith@zorka.com>
Cc: <debian-isp@lists.debian.org>
Subject: Re: Help... SSH CRC-32 compensation attack detector vulnerability
From: "Jason Lim" <maillist@jasonlim.com>
Date: Mon, 3 Dec 2001 10:36:02 +1100
Message-id: <[🔎] 005a01c17b8a$1bb5ff20$0400a8c0@zentek.net>
Reply-to: "Jason Lim" <maillist@jasonlim.com>
References: <[🔎] 050401c17b81$5d66cb60$0400a8c0@zentek.net> <[🔎] 20011202211126.A32353@zorka.com>

The patch is to use the "ssh" package in unstable... and I think in the
security-updates.

We were using ssh-nonfree and that is vunerable. I think they released a
patch and the debs have since been updated, but I'd be wary of staying
with ssh-nonfree now that a hole is right there.

Damn... now the messy clean up process left after numerous rootkits have
been installed. We're just trying to cp -a all the files from our backups
into their right places. That should solve things.

If anyone has better ideas, please let me know.

Sincerely,
Jason

----- Original Message -----
From: "Keith Elder" <keith@zorka.com>
To: "Jason Lim" <maillist@jasonlim.com>
Cc: <debian-isp@lists.debian.org>
Sent: Monday, December 03, 2001 1:11 PM
Subject: Re: Help... SSH CRC-32 compensation attack detector vulnerability


> What is the patch to plug this hole?
>
> K.
>
> * Jason Lim (maillist@jasonlim.com) wrote:
> > Reply-To: "Jason Lim" <maillist@jasonlim.com>
> > From: "Jason Lim" <maillist@jasonlim.com>
> > To: <debian-isp@lists.debian.org>
> > Subject: Help... SSH CRC-32 compensation attack detector vulnerability
> > Date: Mon, 3 Dec 2001 09:33:07 +1100
> > X-Mailer: Microsoft Outlook Express 6.00.2600.0000
> >
> > Hi,
> >
> > sigh... yes... some of our servers have been hit with the "SSH CRC-32
> > compensation attack detector vulnerability" attack.
> >
> > some servers have been compromised, and the usual rootkit stuff
(install
> > root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.).
> >
> > What is an easy way to locate binaries that are different from the
ones
> > provided in the original debs?
> >
> > And is there any other relatively easier way of cleaning up a system
that
> > has had a rootkit installed?
> >
> > We've done a netstat -a and removed/killed all strange processes, and
> > cleaned inetd.conf as much as we can, but some of the programs in
> > inetd.conf have themselves also been tampered with (eg. in.telnetd).
> >
> > Please help... I have a bad feeling the crackers are coming back real
soon
> > to really finish off the job... so any help at this time in removing
all
> > their crap would be greatly appreciated.
> >
> > Sincerely,
> > Jason
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>
> #######################################################
>                       Keith Elder
>                Email: keith@zorka.com
>                 Phone: 1-734-507-1438
>  Text Messaging (145 characters): mobile@zorka.com
> Web: http://www.zorka.com (Howto's, News, and hosting!)
>
>      "With enough memory and hard drive space
>            anything in life is psosible!"
> #######################################################
>
>
> --
> To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>

Reply to:

References:
- Help... SSH CRC-32 compensation attack detector vulnerability
  - From: "Jason Lim" <maillist@jasonlim.com>
- Re: Help... SSH CRC-32 compensation attack detector vulnerability
  - From: Keith Elder <keith@zorka.com>

Prev by Date: Re: Help... SSH CRC-32 compensation attack detector vulnerability
Next by Date: Re: Help... SSH CRC-32 compensation attack detector vulnerability
Previous by thread: Re: Help... SSH CRC-32 compensation attack detector vulnerability
Next by thread: Re: Help... SSH CRC-32 compensation attack detector vulnerability
Index(es):
- Date
- Thread