1 |
On Mon, 2 Aug 2004, Dan Margolis wrote: |
2 |
|
3 |
> --[PinePGP]--------------------------------------------------[begin]-- |
4 |
> Bryan O'Shea wrote: |
5 |
> |
6 |
> |
7 |
> | last -a | grep test |
8 |
> | test pts/0 Tue Jul 27 00:45 - 00:45 (00:00) 80.28.219.40 |
9 |
> | test pts/0 Sat Jul 24 17:29 - 17:29 (00:00) |
10 |
> 210.143.106.131 |
11 |
> | test pts/0 Sat Jul 24 11:10 - 11:10 (00:00) 61.109.156.5 |
12 |
> | test pts/0 Sun Jul 18 22:08 - 22:08 (00:00) 66.165.234.7 |
13 |
> | test pts/1 Thu Jul 15 09:03 - 09:03 (00:00) |
14 |
> | mail.schedl-automotive.de |
15 |
> | test pts/0 Thu Jul 15 08:59 - 08:59 (00:00) |
16 |
> | mail.schedl-automotive.de |
17 |
> | test pts/0 Thu Jul 15 08:57 - 08:57 (00:00) |
18 |
> | mail.schedl-automotive.de |
19 |
> | test pts/0 Thu Jul 15 08:53 - 08:53 (00:00) |
20 |
> | mail.schedl-automotive.de |
21 |
> | test pts/1 Wed Jul 14 12:37 - 12:37 (00:00) |
22 |
> | host2-140.pool21758.interbusiness.it |
23 |
> | test pts/0 Tue Jul 13 01:23 - 01:23 (00:00) |
24 |
> | 216-55-164-10.dedicated.abac.net |
25 |
|
26 |
> I would say that at the moment, it is best to assume, however unlikely, |
27 |
> that your machine may have been compromised. I would take it off the |
28 |
> network immediately and not use it until we reach the bottom of this. |
29 |
|
30 |
will do |
31 |
|
32 |
> |
33 |
> I haven't fully analyzed all the ssh toolkits people have provided me, |
34 |
> but so far I've yet to see anything other than ptrace and do_brk |
35 |
> vulnerabilities, and normal SSH login attempts. However, one individual |
36 |
> on full disclosure reported an oversized packet (?) captured with |
37 |
> tcpdump, which he argued is evidence of some as-yet unknown OpenSSH |
38 |
> vulnerability. |
39 |
> |
40 |
|
41 |
I haven't done and detailed capturing at this point. |
42 |
> This is a vanilla 2004.1 install on x86, correct? |
43 |
|
44 |
Yes smp x86 box. |
45 |
|
46 |
-- |
47 |
gentoo-security@g.o mailing list |