Re: Probable SSH Vulnerability
TIm,
If I were in your shoes, the first thing i'd do is set up a small honeypot
with a similar configuration to your other machines. Run the same services,
as you have running on your other woody boxen, but just don't use it for
anything. This way it will appear like 'just another one' to whoever is
sneaking around, and we can get some useful information out of it. Just my
2c.
--jordan
On Friday 13 June 2003 2:18 pm, Tim Peeler wrote:
> In the last 4-5 days we have had 8 servers come under attack. We are
> working frantically to keep ahead of these attacks. We have come to the
> conclusion that the SSH in woody is likely vulnerable. Of the 8 servers
> that have been broken into, half of them are running 2.2.20 and half
> are running 2.4.18. We have been updating all servers to 2.4.21-rc8.
> We are ruling out a kernel exploit because of this. Of the servers
> attacked, one was only running sshd (from woody). We have not had time
> to analyze where the exploit occurs in sshd, but we are very confident
> that this is the location of the exploit. We have begun upgrading to
> a backport of the testing version of ssh which appears to be helping.
>
> Tim Peeler
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
Reply to: