SSH exploited!
Results 1 to 6 of 6

Thread: SSH exploited!

  1. #1
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724

    SSH exploited!

    Hmm... well it seems as though a hacker or someone of that nature has exploited a bunch of servers on our racks. What sux, is he is launching DOS/Syn/DDOS attacks against our switches, taking down entire subnets. We think he has gotten access by using an SSH exploit. the problem is, that our entire Networking team is sitting around with their thumbs up their asses not knowing what to do except pull the racks, or block them at router level.

    Now, we have figured out that the exploit being used does not effect the new version of SSH, but we cant exactly go into 10,000 boxes and upgrade them. If any one can tell me anything about what this SSH exploit does, and how it works, and how it can be stopped, I would have a edge over the other NOCs.

    What the other Nocs dont know, is that I have the advantage of being a member of Antionline.
    Please help!
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  2. #2
    Member
    Join Date
    Mar 2002
    Posts
    67

    SSH Exploit

    Was the attack based of the exploit for SSHv1 or SSHv2?

    I can check tomorrow at work for you on the exploit details and impacts, but won't have a chance to get back to you tomorrow night (which doesn't help much tonight)...

    I can check the CERT site for you and get back, if you wish.
    \"No matter where you go,
    there you are.\"

  3. #3
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Info about the vulnerability:
    http://www.openssh.org
    http://www.openssh.org/txt/iss.adv
    http://www.openssh.org/txt/preauth.adv

    Dunno if you run snort somewhere on your network, you might want to try these sigs: (the ones about gobbles)
    http://www.snort.org/cgi-bin/sigs-search.cgi?sid=ssh
    Credit travels up, blame travels down -- The Boss

  4. #4
    AntiOnline Senior Medicine Man
    Join Date
    Nov 2001
    Posts
    724
    Thanks for the info guys...
    It is better to be HATED for who you are, than LOVED for who you are NOT.

    THC/IP Version 4.2

  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    291
    hate to say it but your probably going to want to burn down all the boxes and redeploy one by one, chances are also that your going to want to keep the new boxes from sharing any sort of trusted communications with the existing boxes.

    your best bet is to get into each box as root, kill any funky running processes that arent yours and shut as many services down as you can untill you can get the boxes reloaded. Also check your users... delete any users that shouldnt be there and change passwords for existing users (especially root). patch everything up as soon as possible, and slate a burn down and reload of the box as soon as business allows (trust me I know how hard it is to burn down an essential box in a business environment)

    Be especially wary of placed trojans (you did use a file checking program such as tripwire right??) as it is very possible that a very common binary such as VI or ls has been replaced with god knows what. but if you can kill off anything that shouldnt be there (that you can find) and patch up it should buy you some time.

    good luck!
    ~THEJRC~
    I\'ll preach my pessimism right out loud to anyone that listens!
    I\'m not afraid to be alive.... I\'m afraid to be alone.

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    638
    We had the very same problem last week at work only it was caused by the recent apache-ssl worm. Some people obviously hadn't patched SSL on their web servers. The attacks got so bad one of our firewall boxes was effectively knocked out of action.
    OpenBSD - The proactively secure operating system.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •