1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
Bryan O'Shea wrote: |
5 |
|
6 |
|
7 |
| last -a | grep test |
8 |
| test pts/0 Tue Jul 27 00:45 - 00:45 (00:00) 80.28.219.40 |
9 |
| test pts/0 Sat Jul 24 17:29 - 17:29 (00:00) |
10 |
210.143.106.131 |
11 |
| test pts/0 Sat Jul 24 11:10 - 11:10 (00:00) 61.109.156.5 |
12 |
| test pts/0 Sun Jul 18 22:08 - 22:08 (00:00) 66.165.234.7 |
13 |
| test pts/1 Thu Jul 15 09:03 - 09:03 (00:00) |
14 |
| mail.schedl-automotive.de |
15 |
| test pts/0 Thu Jul 15 08:59 - 08:59 (00:00) |
16 |
| mail.schedl-automotive.de |
17 |
| test pts/0 Thu Jul 15 08:57 - 08:57 (00:00) |
18 |
| mail.schedl-automotive.de |
19 |
| test pts/0 Thu Jul 15 08:53 - 08:53 (00:00) |
20 |
| mail.schedl-automotive.de |
21 |
| test pts/1 Wed Jul 14 12:37 - 12:37 (00:00) |
22 |
| host2-140.pool21758.interbusiness.it |
23 |
| test pts/0 Tue Jul 13 01:23 - 01:23 (00:00) |
24 |
| 216-55-164-10.dedicated.abac.net |
25 |
|
26 |
Probably rooted machines, but I'd try contacting the admins of these |
27 |
networks. |
28 |
|
29 |
| |
30 |
| ssh -v |
31 |
| OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004 |
32 |
| |
33 |
|
34 |
I can't think of any vulnerabilities here... |
35 |
|
36 |
| |
37 |
| Since these login attempts have appeared I have been monitoring closely |
38 |
| and have not experienced anymore attempts. |
39 |
| |
40 |
|
41 |
This isn't terribly reassuring, since an attacker could have exploited |
42 |
this access to add a rootkit, gain local root of some sort, or modify |
43 |
your logs. |
44 |
|
45 |
I would say that at the moment, it is best to assume, however unlikely, |
46 |
that your machine may have been compromised. I would take it off the |
47 |
network immediately and not use it until we reach the bottom of this. |
48 |
|
49 |
I haven't fully analyzed all the ssh toolkits people have provided me, |
50 |
but so far I've yet to see anything other than ptrace and do_brk |
51 |
vulnerabilities, and normal SSH login attempts. However, one individual |
52 |
on full disclosure reported an oversized packet (?) captured with |
53 |
tcpdump, which he argued is evidence of some as-yet unknown OpenSSH |
54 |
vulnerability. |
55 |
|
56 |
I wish I could help you more. All I can say is that this is quite scary, |
57 |
since my assumption up to this point has been that even if there is an |
58 |
unknown vulnerability, it must only affect a small number of systems. |
59 |
This is a vanilla 2004.1 install on x86, correct? |
60 |
- -- |
61 |
Dan ("KrispyKringle") |
62 |
Gentoo Linux Security Coordinator |
63 |
-----BEGIN PGP SIGNATURE----- |
64 |
Version: GnuPG v1.2.4 (Darwin) |
65 |
|
66 |
iQEVAwUBQQ6oqLDO2aFJ9pv2AQIHUQgAozzGhYhOML1gUrc43O+aG+8otFHhLZ2d |
67 |
F4djACg1zw3v9lCjd9vvyteLGadSpPP03UWa1I7Cgt+eDn6qKg7Pg8UQhap8Utay |
68 |
cJwp4ctCIC0kdtnQItYbI5CmT9qWjSHtauw8QNd+e36bd6EPxKih+gwgQpDu/dqV |
69 |
+RMKJLsUkSP9t6qTneuwD3iKjcPmPBcKgupNrggRaOq+sefnHSbFF9gKoRelBWZv |
70 |
EiDVGO7EVmZOtNt35cAA4g9FRzvv2YulXshNnAaDbDHGKBvQx8egkT15yEYrmUcs |
71 |
BCC8h9JSuYdnmGw/Z7eHwoltOd9/feidFEXsxgVGfcnS5HY97aT2uQ== |
72 |
=Boqu |
73 |
-----END PGP SIGNATURE----- |
74 |
|
75 |
-- |
76 |
gentoo-security@g.o mailing list |