-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Roy Souther wrote:
| Last Sunday my Mandrake server was owned by an attacker that got in and | had full root access. | | After some digging I found what I believe is the way this person got in | and much to my surprise it was because Mandrake installs sshd with ssh | protocol 1 enabled. Shocked and horrified to see that my | /etc/ssh/sshd_config file contained the line Protocol 2,1. This line | allows a client to force a protocol 1 connection. | I don't think this is your problem: OpenSSH 2.3.0 and newer are not vulnerable to the "Feb 8, 2001: SSH-1 Daemon CRC32 Compensation Attack Detector Vulnerability", RAZOR Bindview Advisory CAN-2001-0144. A buffer overflow in the CRC32 compensation attack detector can lead to remote root access. This problem has been fixed in OpenSSH 2.3.0. However, versions prior to 2.3.0 are vulnerable.
Which is the link you provided for the exploit. So as long as your are using a version of openssh 2.3.0 or newer this isn't the exploit that got you. I would imagine if it was thorugh SSH it was one of the newer openssh exploits that affect V2 in openssh < 3.8p1.
| It is common knowledge that ssh protocol 1 can be easily exploited to | gain root access. For years now the exploit tools have been available | for download and everyone that has any information about how this | exploit works says to disable it.
I don't know that I agree with this, the default config of openssh is for Protocol 2,1 and knowing theo if ssh1 was a big security hole like you're claiming this would not be the default.
| I quickly checked all my Mandrake systems and found that ssh protocol 1 | is enabled in Mandrake 9.0, 9.2 and 10.0. My first experience with this | exploit was when Red Had 6.0 was still new so why is Mandrake still | shipping with this known exploit enabled? | See above | If you are running any systems that have ssh enabled to Internet you | should check to make sure that your /etc/ssh/sshd_config does not have | this problem. | I have been running 4 servers for the past 3 years all with ssh v1 enabled, none have been compromised as of yet with this option on.
- -- Mike Site: http://www.blahz.org/ GPG Key: http://www.blahz.org/gpg.asc I'm in a place where I don't know where I am! - --Homer Simpson
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFAmsqYw+I3MvUBM6QRAi4qAJ43/wwLzw+3Cr8gYu2hDejwbiusvACfUi/J EFexdLlc7QdGDWLpVH92Blk= =TXH/ -----END PGP SIGNATURE-----
_______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
