Rãspuns: Help... SSH CRC-32 compensation attack detector vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hmm,well,for what i know versions of openssh higher than 2.9.x aren't vulnerable,so get your latest package and install it..:-)) good luck Petre L. Daniel Linux Administrator,Canad Systems Pitesti http://www.cyber.ro email:[EMAIL PROTECTED] phone: +4048220044,+4048206200 - -Mesaj original- De la: Alejandro Borges [mailto:[EMAIL PROTECTED] Trimis: Tuesday, December 04, 2001 2:43 PM Catre: z-deb-isp Subiect: Re: Help... SSH CRC-32 compensation attack detector vulnerability Please...HOWTO 1.- detect this vulnerability 2.- get a chkrootkit deb for potato? (seems i get to choose between potato's security (stable) and potato's non-security (lack of a chkrootkit)) Alex - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPA4ALiVopXqImSTYEQJWAQCffc78LvDm6gOYxhCyN73m2eWRkXIAnjaD nwmi+mTeB6vQDy5clDfU4asy =w2kd -END PGP SIGNATURE-
Re: Help... SSH CRC-32 compensation attack detector vulnerability
Please...HOWTO 1.- detect this vulnerability 2.- get a chkrootkit deb for potato? (seems i get to choose between potato's security (stable) and potato's non-security (lack of a chkrootkit)) Alex
Rãspuns: Help... SSH CRC-32 compensation attack detector vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hmm,well,for what i know versions of openssh higher than 2.9.x aren't vulnerable,so get your latest package and install it..:-)) good luck Petre L. Daniel Linux Administrator,Canad Systems Pitesti http://www.cyber.ro email:[EMAIL PROTECTED] phone: +4048220044,+4048206200 - -Mesaj original- De la: Alejandro Borges [mailto:[EMAIL PROTECTED]] Trimis: Tuesday, December 04, 2001 2:43 PM Catre: z-deb-isp Subiect: Re: Help... SSH CRC-32 compensation attack detector vulnerability Please...HOWTO 1.- detect this vulnerability 2.- get a chkrootkit deb for potato? (seems i get to choose between potato's security (stable) and potato's non-security (lack of a chkrootkit)) Alex - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPA4ALiVopXqImSTYEQJWAQCffc78LvDm6gOYxhCyN73m2eWRkXIAnjaD nwmi+mTeB6vQDy5clDfU4asy =w2kd -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Help... SSH CRC-32 compensation attack detector vulnerability
Please...HOWTO 1.- detect this vulnerability 2.- get a chkrootkit deb for potato? (seems i get to choose between potato's security (stable) and potato's non-security (lack of a chkrootkit)) Alex -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Help... SSH CRC-32 compensation attack detector vulnerability
On Mon, 2001-12-03 at 02:38, Jacob Kuntz wrote: > Never really looked into how reliable that is, but it's there. I'd like to > see apt-get support some sort of 'reinstall' command. You mean it doesn't? I could have sworn... (alternately: apt-get clean; apt-get --download-only install $package; dpkg -i /var/cache/apt/archives/package.deb > -- > Jacob Kuntz > http://www.lucidpark.net/ -- Rens Houben |opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP public key at http://suzaku.systemec.nl/shadur.key.asc pgp7khV4d9sVk.pgp Description: PGP signature
Re: Help... SSH CRC-32 compensation attack detector vulnerability
On Mon, 2001-12-03 at 02:38, Jacob Kuntz wrote: > Never really looked into how reliable that is, but it's there. I'd like to > see apt-get support some sort of 'reinstall' command. You mean it doesn't? I could have sworn... (alternately: apt-get clean; apt-get --download-only install $package; dpkg -i /var/cache/apt/archives/package.deb > -- > Jacob Kuntz > http://www.lucidpark.net/ -- Rens Houben |opinions are mine Resident linux guru and sysadmin | if my employers have one Systemec Internet Services. |they'll tell you themselves PGP public key at http://suzaku.systemec.nl/shadur.key.asc msg04328/pgp0.pgp Description: PGP signature
Re: Help... SSH CRC-32 compensation attack detector vulnerability
On Mon, Dec 03, 2001 at 09:33:07AM +1100, Jason Lim wrote: > Hi, > > sigh... yes... some of our servers have been hit with the "SSH CRC-32 > compensation attack detector vulnerability" attack. > > some servers have been compromised, and the usual rootkit stuff (install > root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.). > > What is an easy way to locate binaries that are different from the ones > provided in the original debs? You *are* running either tripwire, or aide, right? :( > And is there any other relatively easier way of cleaning up a system that > has had a rootkit installed? debsums will help you with identifying if a binary changed, but if something was added, you will never know unless you stumble off of it. > We've done a netstat -a and removed/killed all strange processes, and > cleaned inetd.conf as much as we can, but some of the programs in > inetd.conf have themselves also been tampered with (eg. in.telnetd). > > Please help... I have a bad feeling the crackers are coming back real soon > to really finish off the job... so any help at this time in removing all > their crap would be greatly appreciated. I'm really going to have to write up something on securing a machine. There is no such thing as an uncrackable machine, but your job of cleaning it up can be a little easier if you prepare ahead of time for it. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED]/[EMAIL PROTECTED] >< (631) 924-3728 << ><
Re: Help... SSH CRC-32 compensation attack detector vulnerability
> Never really looked into how reliable that is, but it's there. I'd like to > see apt-get support some sort of 'reinstall' command. apt-get install --reinstall package Regards Tim
Re: Help... SSH CRC-32 compensation attack detector vulnerability
I know this is not a complete solution, but for starters you could try 'chkrootkit': http://packages.debian.org/unstable/misc/chkrootkit.html http://www.chkrootkit.org/ Stable doesn't have a package but I'm sure you could build the unstable .deb from source. Regards Tim >>> "Jason Lim" <[EMAIL PROTECTED]> 12/03/01 08:33AM >>> Hi, sigh... yes... some of our servers have been hit with the "SSH CRC-32 compensation attack detector vulnerability" attack. some servers have been compromised, and the usual rootkit stuff (install root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.). What is an easy way to locate binaries that are different from the ones provided in the original debs? And is there any other relatively easier way of cleaning up a system that has had a rootkit installed? We've done a netstat -a and removed/killed all strange processes, and cleaned inetd.conf as much as we can, but some of the programs in inetd.conf have themselves also been tampered with (eg. in.telnetd). Please help... I have a bad feeling the crackers are coming back real soon to really finish off the job... so any help at this time in removing all their crap would be greatly appreciated. Sincerely, Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Help... SSH CRC-32 compensation attack detector vulnerability
On Mon, Dec 03, 2001 at 09:33:07AM +1100, Jason Lim wrote: > Hi, > > sigh... yes... some of our servers have been hit with the "SSH CRC-32 > compensation attack detector vulnerability" attack. > > some servers have been compromised, and the usual rootkit stuff (install > root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.). > > What is an easy way to locate binaries that are different from the ones > provided in the original debs? You *are* running either tripwire, or aide, right? :( > And is there any other relatively easier way of cleaning up a system that > has had a rootkit installed? debsums will help you with identifying if a binary changed, but if something was added, you will never know unless you stumble off of it. > We've done a netstat -a and removed/killed all strange processes, and > cleaned inetd.conf as much as we can, but some of the programs in > inetd.conf have themselves also been tampered with (eg. in.telnetd). > > Please help... I have a bad feeling the crackers are coming back real soon > to really finish off the job... so any help at this time in removing all > their crap would be greatly appreciated. I'm really going to have to write up something on securing a machine. There is no such thing as an uncrackable machine, but your job of cleaning it up can be a little easier if you prepare ahead of time for it. Tim -- >< >> Tim Sailer (at home) >< Coastal Internet, Inc. << >> Network and Systems Operations >< PO Box 671 << >> http://www.buoy.com >< Ridge, NY 11961 << >> [EMAIL PROTECTED][EMAIL PROTECTED] >< (631) 924-3728 << >< -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Help... SSH CRC-32 compensation attack detector vulnerability
The patch is to use the "ssh" package in unstable... and I think in the security-updates. We were using ssh-nonfree and that is vunerable. I think they released a patch and the debs have since been updated, but I'd be wary of staying with ssh-nonfree now that a hole is right there. Damn... now the messy clean up process left after numerous rootkits have been installed. We're just trying to cp -a all the files from our backups into their right places. That should solve things. If anyone has better ideas, please let me know. Sincerely, Jason - Original Message - From: "Keith Elder" <[EMAIL PROTECTED]> To: "Jason Lim" <[EMAIL PROTECTED]> Cc: Sent: Monday, December 03, 2001 1:11 PM Subject: Re: Help... SSH CRC-32 compensation attack detector vulnerability > What is the patch to plug this hole? > > K. > > * Jason Lim ([EMAIL PROTECTED]) wrote: > > Reply-To: "Jason Lim" <[EMAIL PROTECTED]> > > From: "Jason Lim" <[EMAIL PROTECTED]> > > To: > > Subject: Help... SSH CRC-32 compensation attack detector vulnerability > > Date: Mon, 3 Dec 2001 09:33:07 +1100 > > X-Mailer: Microsoft Outlook Express 6.00.2600. > > > > Hi, > > > > sigh... yes... some of our servers have been hit with the "SSH CRC-32 > > compensation attack detector vulnerability" attack. > > > > some servers have been compromised, and the usual rootkit stuff (install > > root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.). > > > > What is an easy way to locate binaries that are different from the ones > > provided in the original debs? > > > > And is there any other relatively easier way of cleaning up a system that > > has had a rootkit installed? > > > > We've done a netstat -a and removed/killed all strange processes, and > > cleaned inetd.conf as much as we can, but some of the programs in > > inetd.conf have themselves also been tampered with (eg. in.telnetd). > > > > Please help... I have a bad feeling the crackers are coming back real soon > > to really finish off the job... so any help at this time in removing all > > their crap would be greatly appreciated. > > > > Sincerely, > > Jason > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > ### > Keith Elder >Email: [EMAIL PROTECTED] > Phone: 1-734-507-1438 > Text Messaging (145 characters): [EMAIL PROTECTED] > Web: http://www.zorka.com (Howto's, News, and hosting!) > > "With enough memory and hard drive space >anything in life is psosible!" > ### > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > >
Re: Help... SSH CRC-32 compensation attack detector vulnerability
What is the patch to plug this hole? K. * Jason Lim ([EMAIL PROTECTED]) wrote: > Reply-To: "Jason Lim" <[EMAIL PROTECTED]> > From: "Jason Lim" <[EMAIL PROTECTED]> > To: > Subject: Help... SSH CRC-32 compensation attack detector vulnerability > Date: Mon, 3 Dec 2001 09:33:07 +1100 > X-Mailer: Microsoft Outlook Express 6.00.2600. > > Hi, > > sigh... yes... some of our servers have been hit with the "SSH CRC-32 > compensation attack detector vulnerability" attack. > > some servers have been compromised, and the usual rootkit stuff (install > root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.). > > What is an easy way to locate binaries that are different from the ones > provided in the original debs? > > And is there any other relatively easier way of cleaning up a system that > has had a rootkit installed? > > We've done a netstat -a and removed/killed all strange processes, and > cleaned inetd.conf as much as we can, but some of the programs in > inetd.conf have themselves also been tampered with (eg. in.telnetd). > > Please help... I have a bad feeling the crackers are coming back real soon > to really finish off the job... so any help at this time in removing all > their crap would be greatly appreciated. > > Sincerely, > Jason > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] ### Keith Elder Email: [EMAIL PROTECTED] Phone: 1-734-507-1438 Text Messaging (145 characters): [EMAIL PROTECTED] Web: http://www.zorka.com (Howto's, News, and hosting!) "With enough memory and hard drive space anything in life is psosible!" ###
Re: Help... SSH CRC-32 compensation attack detector vulnerability
On Mon, Dec 03, 2001 at 09:33:07AM +1100, Jason Lim wrote: > What is an easy way to locate binaries that are different from the ones > provided in the original debs? man debsums > > And is there any other relatively easier way of cleaning up a system that > has had a rootkit installed? apt-get install chkrootkit Never really looked into how reliable that is, but it's there. I'd like to see apt-get support some sort of 'reinstall' command. -- Jacob Kuntz http://www.lucidpark.net/
Help... SSH CRC-32 compensation attack detector vulnerability
Hi, sigh... yes... some of our servers have been hit with the "SSH CRC-32 compensation attack detector vulnerability" attack. some servers have been compromised, and the usual rootkit stuff (install root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.). What is an easy way to locate binaries that are different from the ones provided in the original debs? And is there any other relatively easier way of cleaning up a system that has had a rootkit installed? We've done a netstat -a and removed/killed all strange processes, and cleaned inetd.conf as much as we can, but some of the programs in inetd.conf have themselves also been tampered with (eg. in.telnetd). Please help... I have a bad feeling the crackers are coming back real soon to really finish off the job... so any help at this time in removing all their crap would be greatly appreciated. Sincerely, Jason
Re: Help... SSH CRC-32 compensation attack detector vulnerability
The patch is to use the "ssh" package in unstable... and I think in the security-updates. We were using ssh-nonfree and that is vunerable. I think they released a patch and the debs have since been updated, but I'd be wary of staying with ssh-nonfree now that a hole is right there. Damn... now the messy clean up process left after numerous rootkits have been installed. We're just trying to cp -a all the files from our backups into their right places. That should solve things. If anyone has better ideas, please let me know. Sincerely, Jason - Original Message - From: "Keith Elder" <[EMAIL PROTECTED]> To: "Jason Lim" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, December 03, 2001 1:11 PM Subject: Re: Help... SSH CRC-32 compensation attack detector vulnerability > What is the patch to plug this hole? > > K. > > * Jason Lim ([EMAIL PROTECTED]) wrote: > > Reply-To: "Jason Lim" <[EMAIL PROTECTED]> > > From: "Jason Lim" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Subject: Help... SSH CRC-32 compensation attack detector vulnerability > > Date: Mon, 3 Dec 2001 09:33:07 +1100 > > X-Mailer: Microsoft Outlook Express 6.00.2600. > > > > Hi, > > > > sigh... yes... some of our servers have been hit with the "SSH CRC-32 > > compensation attack detector vulnerability" attack. > > > > some servers have been compromised, and the usual rootkit stuff (install > > root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.). > > > > What is an easy way to locate binaries that are different from the ones > > provided in the original debs? > > > > And is there any other relatively easier way of cleaning up a system that > > has had a rootkit installed? > > > > We've done a netstat -a and removed/killed all strange processes, and > > cleaned inetd.conf as much as we can, but some of the programs in > > inetd.conf have themselves also been tampered with (eg. in.telnetd). > > > > Please help... I have a bad feeling the crackers are coming back real soon > > to really finish off the job... so any help at this time in removing all > > their crap would be greatly appreciated. > > > > Sincerely, > > Jason > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > ### > Keith Elder >Email: [EMAIL PROTECTED] > Phone: 1-734-507-1438 > Text Messaging (145 characters): [EMAIL PROTECTED] > Web: http://www.zorka.com (Howto's, News, and hosting!) > > "With enough memory and hard drive space >anything in life is psosible!" > ### > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Help... SSH CRC-32 compensation attack detector vulnerability
What is the patch to plug this hole? K. * Jason Lim ([EMAIL PROTECTED]) wrote: > Reply-To: "Jason Lim" <[EMAIL PROTECTED]> > From: "Jason Lim" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Help... SSH CRC-32 compensation attack detector vulnerability > Date: Mon, 3 Dec 2001 09:33:07 +1100 > X-Mailer: Microsoft Outlook Express 6.00.2600. > > Hi, > > sigh... yes... some of our servers have been hit with the "SSH CRC-32 > compensation attack detector vulnerability" attack. > > some servers have been compromised, and the usual rootkit stuff (install > root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.). > > What is an easy way to locate binaries that are different from the ones > provided in the original debs? > > And is there any other relatively easier way of cleaning up a system that > has had a rootkit installed? > > We've done a netstat -a and removed/killed all strange processes, and > cleaned inetd.conf as much as we can, but some of the programs in > inetd.conf have themselves also been tampered with (eg. in.telnetd). > > Please help... I have a bad feeling the crackers are coming back real soon > to really finish off the job... so any help at this time in removing all > their crap would be greatly appreciated. > > Sincerely, > Jason > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] ### Keith Elder Email: [EMAIL PROTECTED] Phone: 1-734-507-1438 Text Messaging (145 characters): [EMAIL PROTECTED] Web: http://www.zorka.com (Howto's, News, and hosting!) "With enough memory and hard drive space anything in life is psosible!" ### -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Help... SSH CRC-32 compensation attack detector vulnerability
On Mon, Dec 03, 2001 at 09:33:07AM +1100, Jason Lim wrote: > What is an easy way to locate binaries that are different from the ones > provided in the original debs? man debsums > > And is there any other relatively easier way of cleaning up a system that > has had a rootkit installed? apt-get install chkrootkit Never really looked into how reliable that is, but it's there. I'd like to see apt-get support some sort of 'reinstall' command. -- Jacob Kuntz http://www.lucidpark.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Help... SSH CRC-32 compensation attack detector vulnerability
Hi, sigh... yes... some of our servers have been hit with the "SSH CRC-32 compensation attack detector vulnerability" attack. some servers have been compromised, and the usual rootkit stuff (install root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.). What is an easy way to locate binaries that are different from the ones provided in the original debs? And is there any other relatively easier way of cleaning up a system that has had a rootkit installed? We've done a netstat -a and removed/killed all strange processes, and cleaned inetd.conf as much as we can, but some of the programs in inetd.conf have themselves also been tampered with (eg. in.telnetd). Please help... I have a bad feeling the crackers are coming back real soon to really finish off the job... so any help at this time in removing all their crap would be greatly appreciated. Sincerely, Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]