[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Help... SSH CRC-32 compensation attack detector vulnerability

On Mon, Dec 03, 2001 at 09:33:07AM +1100, Jason Lim wrote:
> Hi,
> sigh... yes... some of our servers have been hit with the "SSH CRC-32
> compensation attack detector vulnerability" attack.
> some servers have been compromised, and the usual rootkit stuff (install
> root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.).
> What is an easy way to locate binaries that are different from the ones
> provided in the original debs?

You *are* running either tripwire, or aide, right? :(

> And is there any other relatively easier way of cleaning up a system that
> has had a rootkit installed?

debsums will help you with identifying if a binary changed, but if
something was added, you will never know unless you stumble off of it.

> We've done a netstat -a and removed/killed all strange processes, and
> cleaned inetd.conf as much as we can, but some of the programs in
> inetd.conf have themselves also been tampered with (eg. in.telnetd).
> Please help... I have a bad feeling the crackers are coming back real soon
> to really finish off the job... so any help at this time in removing all
> their crap would be greatly appreciated.

I'm really going to have to write up something on securing a machine. There
is no such thing as an uncrackable machine, but your job of cleaning it
up can be a little easier if you prepare ahead of time for it.


   >> Tim Sailer (at home)             ><  Coastal Internet, Inc.          <<
   >> Network and Systems Operations   ><  PO Box 671                      <<
   >> http://www.buoy.com              ><  Ridge, NY 11961                 <<
   >> tps@unslept.com/tps@buoy.com     ><  (631) 924-3728                  <<

Reply to: