-
October 2nd, 2002, 02:56 AM
#1
SSH exploited!
Hmm... well it seems as though a hacker or someone of that nature has exploited a bunch of servers on our racks. What sux, is he is launching DOS/Syn/DDOS attacks against our switches, taking down entire subnets. We think he has gotten access by using an SSH exploit. the problem is, that our entire Networking team is sitting around with their thumbs up their asses not knowing what to do except pull the racks, or block them at router level.
Now, we have figured out that the exploit being used does not effect the new version of SSH, but we cant exactly go into 10,000 boxes and upgrade them. If any one can tell me anything about what this SSH exploit does, and how it works, and how it can be stopped, I would have a edge over the other NOCs.
What the other Nocs dont know, is that I have the advantage of being a member of Antionline.
Please help!
It is better to be HATED for who you are, than LOVED for who you are NOT.
THC/IP Version 4.2
-
October 2nd, 2002, 03:06 AM
#2
Member
SSH Exploit
Was the attack based of the exploit for SSHv1 or SSHv2?
I can check tomorrow at work for you on the exploit details and impacts, but won't have a chance to get back to you tomorrow night (which doesn't help much tonight)...
I can check the CERT site for you and get back, if you wish.
\"No matter where you go,
there you are.\"
-
October 2nd, 2002, 03:39 AM
#3
Credit travels up, blame travels down -- The Boss
-
October 2nd, 2002, 04:26 AM
#4
Thanks for the info guys...
It is better to be HATED for who you are, than LOVED for who you are NOT.
THC/IP Version 4.2
-
October 2nd, 2002, 05:17 AM
#5
hate to say it but your probably going to want to burn down all the boxes and redeploy one by one, chances are also that your going to want to keep the new boxes from sharing any sort of trusted communications with the existing boxes.
your best bet is to get into each box as root, kill any funky running processes that arent yours and shut as many services down as you can untill you can get the boxes reloaded. Also check your users... delete any users that shouldnt be there and change passwords for existing users (especially root). patch everything up as soon as possible, and slate a burn down and reload of the box as soon as business allows (trust me I know how hard it is to burn down an essential box in a business environment)
Be especially wary of placed trojans (you did use a file checking program such as tripwire right??) as it is very possible that a very common binary such as VI or ls has been replaced with god knows what. but if you can kill off anything that shouldnt be there (that you can find) and patch up it should buy you some time.
good luck!
~THEJRC~
I\'ll preach my pessimism right out loud to anyone that listens!
I\'m not afraid to be alive.... I\'m afraid to be alone.
-
October 2nd, 2002, 06:56 AM
#6
We had the very same problem last week at work only it was caused by the recent apache-ssl worm. Some people obviously hadn't patched SSL on their web servers. The attacks got so bad one of our firewall boxes was effectively knocked out of action.
OpenBSD - The proactively secure operating system.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|