On Tue, Jun 17, 2003 at 11:41:20PM +0200, Florian Weimer wrote:
Anyway, I just wanted to make sure that you investigate other
weaknesses than the SSH1 implementation. It's my gut feeling based on
the facts you have mentioned that another explanation is far more
likely.
Certainly, we have
On Tue, Jun 17, 2003 at 11:41:20PM +0200, Florian Weimer wrote:
Anyway, I just wanted to make sure that you investigate other
weaknesses than the SSH1 implementation. It's my gut feeling based on
the facts you have mentioned that another explanation is far more
likely.
Certainly, we have
Nick Boyce [EMAIL PROTECTED] writes:
These attacks require wiretapping and traffic
manipulation capabilities.
I'd be interested if you could expand on this - do you mean a
connection to the victim's LAN is necessary ?
LAN or WAN. Actually, access to any transmission link suffices.
I'd
Tim Peeler [EMAIL PROTECTED] writes:
I've done some research and have seen reports on several kits
available to exploit the SSH1 protocol.
Can you send me a few links? I can only remember attacks which
required (a) eavesdropping, (b) huge amounts of traffic (you would
have noticed it), (c) or
On Tue, Jun 17, 2003 at 09:45:28PM +0200, Florian Weimer wrote:
Tim Peeler [EMAIL PROTECTED] writes:
I've done some research and have seen reports on several kits
available to exploit the SSH1 protocol.
Can you send me a few links? I can only remember attacks which
required (a)
On Tue, 17 Jun 2003 21:34:32 +0200, Florian Weimer wrote:
Nick Boyce [EMAIL PROTECTED] writes:
These attacks require wiretapping and traffic
manipulation capabilities.
I'd be interested if you could expand on this - do you mean a
connection to the victim's LAN is necessary ?
LAN or WAN.
On Sun, Jun 15, 2003 at 09:01:00AM +0200, Florian Weimer wrote:
Tim Peeler [EMAIL PROTECTED] writes:
I've come to the conclusion that the SSH1 protocol is the most
likely cause of this problem.
Attacks on the SSH v1 protocol are relatively sophisticated. It's
more likely that some
Nick Boyce [EMAIL PROTECTED] writes:
These attacks require wiretapping and traffic
manipulation capabilities.
I'd be interested if you could expand on this - do you mean a
connection to the victim's LAN is necessary ?
LAN or WAN. Actually, access to any transmission link suffices.
I'd
Tim Peeler [EMAIL PROTECTED] writes:
I've done some research and have seen reports on several kits
available to exploit the SSH1 protocol.
Can you send me a few links? I can only remember attacks which
required (a) eavesdropping, (b) huge amounts of traffic (you would
have noticed it), (c) or
On Tue, Jun 17, 2003 at 09:45:28PM +0200, Florian Weimer wrote:
Tim Peeler [EMAIL PROTECTED] writes:
I've done some research and have seen reports on several kits
available to exploit the SSH1 protocol.
Can you send me a few links? I can only remember attacks which
required (a)
Tim Peeler [EMAIL PROTECTED] writes:
As we have yet to see any indication that this is related to the crc32
compensation detector yet, I'm finding it more and more difficult
to believe that this was truely the problem.
Yes, indeed. This particular problem has been fixed, but there are
On Tue, 17 Jun 2003 21:34:32 +0200, Florian Weimer wrote:
Nick Boyce [EMAIL PROTECTED] writes:
These attacks require wiretapping and traffic
manipulation capabilities.
I'd be interested if you could expand on this - do you mean a
connection to the victim's LAN is necessary ?
LAN or WAN.
On Sun, 15 Jun 2003 09:01:00 +0200, Florian Weimer wrote:
Tim Peeler [EMAIL PROTECTED] writes:
I've come to the conclusion that the SSH1 protocol is the most
likely cause of this problem.
Attacks on the SSH v1 protocol are relatively sophisticated. It's
more likely that some token used for
On Sun, 15 Jun 2003 09:01:00 +0200, Florian Weimer wrote:
Tim Peeler [EMAIL PROTECTED] writes:
I've come to the conclusion that the SSH1 protocol is the most
likely cause of this problem.
Attacks on the SSH v1 protocol are relatively sophisticated. It's
more likely that some token used for
Tim Peeler [EMAIL PROTECTED] writes:
I've come to the conclusion that the SSH1 protocol is the most
likely cause of this problem.
Attacks on the SSH v1 protocol are relatively sophisticated. It's
more likely that some token used for authentication (password, RSA or
DSA key) has leaked, that a
On Sat, Jun 14, 2003 at 03:28:49AM +0100, Nick Boyce wrote:
On Fri, 13 Jun 2003 17:52:21 -0400, Tim Peeler wrote:
On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
On Fri, 13 Jun 2003 14:18:44 -0400
Tim Peeler [EMAIL PROTECTED] wrote:
In the last 4-5 days we have had 8
On Sat, Jun 14, 2003 at 03:28:49AM +0100, Nick Boyce wrote:
On Fri, 13 Jun 2003 17:52:21 -0400, Tim Peeler wrote:
On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
On Fri, 13 Jun 2003 14:18:44 -0400
Tim Peeler [EMAIL PROTECTED] wrote:
In the last 4-5 days we have had 8
In the last 4-5 days we have had 8 servers come under attack. We are
working frantically to keep ahead of these attacks. We have come to the
conclusion that the SSH in woody is likely vulnerable. Of the 8 servers
that have been broken into, half of them are running 2.2.20 and half
are running
On Fri, Jun 13, 2003 at 02:18:44PM -0400, Tim Peeler remarked:
In the last 4-5 days we have had 8 servers come under attack.
We are working frantically to keep ahead of these attacks. We
have come to the conclusion that the SSH in woody is likely
vulnerable. Of the 8 servers that have been
TIm,
If I were in your shoes, the first thing i'd do is set up a small honeypot
with a similar configuration to your other machines. Run the same services,
as you have running on your other woody boxen, but just don't use it for
anything. This way it will appear like 'just another one'
Tim Peeler [EMAIL PROTECTED] writes:
In the last 4-5 days we have had 8 servers come under attack.
Any trust relationships between these servers? Which SSH
authentication method do you use?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL
On Fri, 13 Jun 2003 14:18:44 -0400
Tim Peeler [EMAIL PROTECTED] wrote:
In the last 4-5 days we have had 8 servers come under attack. We are
working frantically to keep ahead of these attacks. We have come to the
conclusion that the SSH in woody is likely vulnerable. Of the 8 servers
that
On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
(This version of the message sent to you personally in the off chance
that you're not subscribed to [EMAIL PROTECTED]; sorry
for not doing it via Cc:, but I forgot.)
On Fri, 13 Jun 2003 14:18:44 -0400
Tim Peeler [EMAIL
Followup:
This has caused problems on some of our old potato systems as well.
It appears to be a worm with the speed in which it spread.
On Fri, Jun 13, 2003 at 02:18:44PM -0400, Tim Peeler wrote:
In the last 4-5 days we have had 8 servers come under attack. We are
working frantically
On Fri, Jun 13, 2003 at 05:52:21PM -0400, Tim Peeler wrote:
Just for information, these failed the global check:
bin/cp FAILED
bin/dd FAILED
bin/df FAILED
bin/dir FAILED
bin/ln FAILED
bin/ls FAILED
bin/mv FAILED
bin/rm FAILED
bin/su FAILED
bin/ping FAILED
bin/ps FAILED
bin/kill FAILED
On Fri, 13 Jun 2003 17:52:21 -0400, Tim Peeler wrote:
On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
On Fri, 13 Jun 2003 14:18:44 -0400
Tim Peeler [EMAIL PROTECTED] wrote:
In the last 4-5 days we have had 8 servers come under attack. We are
working frantically to keep
In the last 4-5 days we have had 8 servers come under attack. We are
working frantically to keep ahead of these attacks. We have come to the
conclusion that the SSH in woody is likely vulnerable. Of the 8 servers
that have been broken into, half of them are running 2.2.20 and half
are running
On Fri, Jun 13, 2003 at 02:18:44PM -0400, Tim Peeler remarked:
In the last 4-5 days we have had 8 servers come under attack.
We are working frantically to keep ahead of these attacks. We
have come to the conclusion that the SSH in woody is likely
vulnerable. Of the 8 servers that have been
TIm,
If I were in your shoes, the first thing i'd do is set up a small
honeypot
with a similar configuration to your other machines. Run the same services,
as you have running on your other woody boxen, but just don't use it for
anything. This way it will appear like 'just another one'
Tim Peeler [EMAIL PROTECTED] writes:
In the last 4-5 days we have had 8 servers come under attack.
Any trust relationships between these servers? Which SSH
authentication method do you use?
On Fri, 13 Jun 2003 14:18:44 -0400
Tim Peeler [EMAIL PROTECTED] wrote:
In the last 4-5 days we have had 8 servers come under attack. We are
working frantically to keep ahead of these attacks. We have come to the
conclusion that the SSH in woody is likely vulnerable. Of the 8 servers
that
On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
(This version of the message sent to you personally in the off chance
that you're not subscribed to debian-security@lists.debian.org; sorry
for not doing it via Cc:, but I forgot.)
On Fri, 13 Jun 2003 14:18:44 -0400
Tim Peeler
Followup:
This has caused problems on some of our old potato systems as well.
It appears to be a worm with the speed in which it spread.
On Fri, Jun 13, 2003 at 02:18:44PM -0400, Tim Peeler wrote:
In the last 4-5 days we have had 8 servers come under attack. We are
working frantically
On Fri, 13 Jun 2003 17:52:21 -0400, Tim Peeler wrote:
On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
On Fri, 13 Jun 2003 14:18:44 -0400
Tim Peeler [EMAIL PROTECTED] wrote:
In the last 4-5 days we have had 8 servers come under attack. We are
working frantically to keep
34 matches
Mail list logo