Michael, What was the key added to your authorized_keys file? I fear that one of my client's hosts has been compromised, too....
Dave On Fri, Nov 15, 2002 at 07:40:47PM -0500, Michael Richardson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > > 1) the machine hosting cvs.tcpdump.org was likely compromised > between Nov. 7th and Nov. 10th at 18:24pm. > > The method was likely through an unpatched openssh daemon. > (The rest of my servers run SSH.com) > I have not yet confirmed this for sure. > > 2) an additional public key was added to the .ssh/authorized_keys > file for my account. This account was used to install the trojan > files at 10:14am, Monday Nov. 11. > > 3) The machine was taken offline around 11am Wednesday Nov. 13th. > The machine is also my mail relay, and stealth DNS primary for > unsigned (non-DNSSEC) zones. > As such, the machine has been left on, with no default route, > but able to exchange DNS and SMTP with others. > > 4) I have examined the mirrors and confirmed that many mirror operators > did not take the code offline. Therefore, I've restored the proper > files, and restored connectivity to the mirror sites. > > The restored files are from my laptop. > The md5sum of the files on my laptop match those provided by CERT, > and the files on sourceforge.net. > > I have additional signed the files with my key. We will generate > a key for really doing this. > > I have not restored 3.6.2, as I haven't yet tracked a perfect copy > of this, but will soon. > > 5) I will edit the web site soon to provide this information. > > 6) I think that we should release a 3.7.1b or .2 or something, no > code change, just to flush things out. > > 7) the machine will get flushed (i.e. reformatted) when I return from > Atlanta/IETF. I expect to limp along until then in this configuration. > This means that there will be no anon-cvs, and no SSH access. > > ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ > ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ > ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ > ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (GNU/Linux) > Comment: Finger me for keys > > iQCVAwUBPdWUDYqHRg3pndX9AQEfOwP5AeHn5F0+mML8l1mlKTSGPbRDE+0Q6t3N > lnUn9+nnmchT/ULyI4ayMGpVkjWfg/DUN/ShuLqjn72jFKLgxqt5DVo6Zy1ASoeu > o6GXrQEPuG6diBW1s6AMnRyAKUxNB+Dr9Wqun+OzXhO+VNgRx6j4M39ckdltzG17 > QeG26TVMq70= > =wGS3 > -----END PGP SIGNATURE----- > - > This is the TCPDUMP announcement list. It is archived at > http://www.tcpdump.org/lists/announce/maillist.html > To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe > - > This is the TCPDUMP workers list. It is archived at > http://www.tcpdump.org/lists/workers/index.html > To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe -- David Young OJC Technologies [EMAIL PROTECTED] Engineering from the Right Brain Urbana, IL * (217) 278-3933 - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
