Gentoo Archives: gentoo-security

From: Bryan O'Shea <bryan05@××××××××.net>
To: Dan Margolis <krispykringle@g.o>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] SSH login attempts and /var/log/wtmp
Date: Mon, 02 Aug 2004 20:56:59
Message-Id: Pine.LNX.4.60.0408021634230.5259@malachi.totalink.net
In Reply to: Re: [gentoo-security] SSH login attempts and /var/log/wtmp by Dan Margolis
1 On Mon, 2 Aug 2004, Dan Margolis wrote:
2
3 > --[PinePGP]--------------------------------------------------[begin]--
4 > Bryan O'Shea wrote:
5 >
6 >
7 > | last -a | grep test
8 > | test pts/0 Tue Jul 27 00:45 - 00:45 (00:00) 80.28.219.40
9 > | test pts/0 Sat Jul 24 17:29 - 17:29 (00:00)
10 > 210.143.106.131
11 > | test pts/0 Sat Jul 24 11:10 - 11:10 (00:00) 61.109.156.5
12 > | test pts/0 Sun Jul 18 22:08 - 22:08 (00:00) 66.165.234.7
13 > | test pts/1 Thu Jul 15 09:03 - 09:03 (00:00)
14 > | mail.schedl-automotive.de
15 > | test pts/0 Thu Jul 15 08:59 - 08:59 (00:00)
16 > | mail.schedl-automotive.de
17 > | test pts/0 Thu Jul 15 08:57 - 08:57 (00:00)
18 > | mail.schedl-automotive.de
19 > | test pts/0 Thu Jul 15 08:53 - 08:53 (00:00)
20 > | mail.schedl-automotive.de
21 > | test pts/1 Wed Jul 14 12:37 - 12:37 (00:00)
22 > | host2-140.pool21758.interbusiness.it
23 > | test pts/0 Tue Jul 13 01:23 - 01:23 (00:00)
24 > | 216-55-164-10.dedicated.abac.net
25
26 > I would say that at the moment, it is best to assume, however unlikely,
27 > that your machine may have been compromised. I would take it off the
28 > network immediately and not use it until we reach the bottom of this.
29
30 will do
31
32 >
33 > I haven't fully analyzed all the ssh toolkits people have provided me,
34 > but so far I've yet to see anything other than ptrace and do_brk
35 > vulnerabilities, and normal SSH login attempts. However, one individual
36 > on full disclosure reported an oversized packet (?) captured with
37 > tcpdump, which he argued is evidence of some as-yet unknown OpenSSH
38 > vulnerability.
39 >
40
41 I haven't done and detailed capturing at this point.
42 > This is a vanilla 2004.1 install on x86, correct?
43
44 Yes smp x86 box.
45
46 --
47 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] SSH login attempts and /var/log/wtmp Andrew Ross <aross@×××××××××××.au>