C.J. Oster enscribed thusly:
> As you may have heard, wednessday morning RootShell was hacked via sshd.
> So to protect my self, I've been trying to build sshd 2.0.9. There is one
> problem. Everything compiles fine, but when linking, I get many undefined
> references to a function called stat(). 'man 2 stat' gives me some
> headers, and they are all included. What I want to know is how do I find
> out what library a function is in and link the binary to it. Thanks for
> your help.
Several involved people have pointed out, yes, it looks like they
connected into rootshell.com via ssh. That does not mean that there is
an inherent flaw in ssh 1.2.26. It also does not mean that upgrading to
2.0.10 (2.0.9 is not the latest) will necessarily avoid the problem. If the
intruders managed to guess or otherwise obtain a password, they could log
in using ssh. They could also do this by using some other exploit to
create or modify configuration files such as .shosts or .ssh/authorized_keys.
It could have been done through improper permissions or bad cgi scripts.
Maybe they tricked qmail or apache into coughing up the passwd file and
they found a weakly protected account. We just don't know. Access is half
the battle. You can then worry about root access once you're in.
At this time, we do not have information as to what was done to
gain access. Saying that they got in through ssh is like saying they
got in through telnet or that they got a shell. Doesn't mean that telnet
or bash would be suspect. Caution is advised! Until we know different,
everything should be suspect. Caution would also say that 2.0.10 may be
no better!
I'm restricting access to the ssh ports. You can use ipfwadm or
ipchains to limit access to those addresses that you want to grant access.
Unlike rsh or rlogin, there is too much handshaking and Linux is not
sequence number predictable, so I don't thing spoofing is likely to be
a serious problem. Allowing access to everywhere is probably NOT a good
idea at this time... No matter WHAT version of access software you
are using!
> -CJO-
> C.J. Oster (Linux Guru/Surge Addict)
> --------------------------------------------------------------------
> | [EMAIL PROTECTED] | 910 S. 3rd St, #1318 | CCSO, WSG, UIUC |
> | [EMAIL PROTECTED] | Champaing, IL 91820 | 1443 DCL, Urbana |
> --------------------------------------------------------------------
> (580)761-6393 (217)328-8934
> "Linux, for people with an IQ above 98" - Bumper Sticker
> "Hm, a little big for a cup holder... Why does it say '4x' on it?"
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
