| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
Bryan O'Shea wrote: |
| 5 |
|
| 6 |
|
| 7 |
| last -a | grep test |
| 8 |
| test pts/0 Tue Jul 27 00:45 - 00:45 (00:00) 80.28.219.40 |
| 9 |
| test pts/0 Sat Jul 24 17:29 - 17:29 (00:00) |
| 10 |
210.143.106.131 |
| 11 |
| test pts/0 Sat Jul 24 11:10 - 11:10 (00:00) 61.109.156.5 |
| 12 |
| test pts/0 Sun Jul 18 22:08 - 22:08 (00:00) 66.165.234.7 |
| 13 |
| test pts/1 Thu Jul 15 09:03 - 09:03 (00:00) |
| 14 |
| mail.schedl-automotive.de |
| 15 |
| test pts/0 Thu Jul 15 08:59 - 08:59 (00:00) |
| 16 |
| mail.schedl-automotive.de |
| 17 |
| test pts/0 Thu Jul 15 08:57 - 08:57 (00:00) |
| 18 |
| mail.schedl-automotive.de |
| 19 |
| test pts/0 Thu Jul 15 08:53 - 08:53 (00:00) |
| 20 |
| mail.schedl-automotive.de |
| 21 |
| test pts/1 Wed Jul 14 12:37 - 12:37 (00:00) |
| 22 |
| host2-140.pool21758.interbusiness.it |
| 23 |
| test pts/0 Tue Jul 13 01:23 - 01:23 (00:00) |
| 24 |
| 216-55-164-10.dedicated.abac.net |
| 25 |
|
| 26 |
Probably rooted machines, but I'd try contacting the admins of these |
| 27 |
networks. |
| 28 |
|
| 29 |
| |
| 30 |
| ssh -v |
| 31 |
| OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 |
| 32 |
| |
| 33 |
|
| 34 |
I can't think of any vulnerabilities here... |
| 35 |
|
| 36 |
| |
| 37 |
| Since these login attempts have appeared I have been monitoring closely |
| 38 |
| and have not experienced anymore attempts. |
| 39 |
| |
| 40 |
|
| 41 |
This isn't terribly reassuring, since an attacker could have exploited |
| 42 |
this access to add a rootkit, gain local root of some sort, or modify |
| 43 |
your logs. |
| 44 |
|
| 45 |
I would say that at the moment, it is best to assume, however unlikely, |
| 46 |
that your machine may have been compromised. I would take it off the |
| 47 |
network immediately and not use it until we reach the bottom of this. |
| 48 |
|
| 49 |
I haven't fully analyzed all the ssh toolkits people have provided me, |
| 50 |
but so far I've yet to see anything other than ptrace and do_brk |
| 51 |
vulnerabilities, and normal SSH login attempts. However, one individual |
| 52 |
on full disclosure reported an oversized packet (?) captured with |
| 53 |
tcpdump, which he argued is evidence of some as-yet unknown OpenSSH |
| 54 |
vulnerability. |
| 55 |
|
| 56 |
I wish I could help you more. All I can say is that this is quite scary, |
| 57 |
since my assumption up to this point has been that even if there is an |
| 58 |
unknown vulnerability, it must only affect a small number of systems. |
| 59 |
This is a vanilla 2004.1 install on x86, correct? |
| 60 |
- -- |
| 61 |
Dan ("KrispyKringle") |
| 62 |
Gentoo Linux Security Coordinator |
| 63 |
-----BEGIN PGP SIGNATURE----- |
| 64 |
Version: GnuPG v1.2.4 (Darwin) |
| 65 |
|
| 66 |
iQEVAwUBQQ6oqLDO2aFJ9pv2AQIHUQgAozzGhYhOML1gUrc43O+aG+8otFHhLZ2d |
| 67 |
F4djACg1zw3v9lCjd9vvyteLGadSpPP03UWa1I7Cgt+eDn6qKg7Pg8UQhap8Utay |
| 68 |
cJwp4ctCIC0kdtnQItYbI5CmT9qWjSHtauw8QNd+e36bd6EPxKih+gwgQpDu/dqV |
| 69 |
+RMKJLsUkSP9t6qTneuwD3iKjcPmPBcKgupNrggRaOq+sefnHSbFF9gKoRelBWZv |
| 70 |
EiDVGO7EVmZOtNt35cAA4g9FRzvv2YulXshNnAaDbDHGKBvQx8egkT15yEYrmUcs |
| 71 |
BCC8h9JSuYdnmGw/Z7eHwoltOd9/feidFEXsxgVGfcnS5HY97aT2uQ== |
| 72 |
=Boqu |
| 73 |
-----END PGP SIGNATURE----- |
| 74 |
|
| 75 |
-- |
| 76 |
gentoo-security@g.o mailing list |
Archives