[ale] ssh exploited?

[Michael E. Barker]

"James P. Kinney III" wrote:
> 
> Check your version of ssh. Openssh v. 3.0+ is NOT vunerable to that
> overflow error.
> 
> Also, verify that the interface it's coming in on is really what you
> think it is. Add a firewall rule to log incoming port 22 packets. You
> can set the log string to be what ever you want. So set one for external
> interface and one for internal interface.
> 
> On Wed, 2002-02-06 at 22:30, John Wells wrote:
> > I was examining my snort log files on my firewall
> > tonight and found a ssh exploit notification (see end
> > of this message).
> >
> > The scary (odd) thing is, it seems to be coming from a
> > box on my internal lan (172.16.2.4) to my
> > gateway/firewall (172.16.2.1).  Does this mean that my
> > internal box has been compromised?  Or is this
> > something snort is picking up when I ssh from machine
> > to machine?
> >
> > Thanks for your input...
> >
> > John
> > ----------------------------------------
> >
> > [**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
> > [Classification: Executable code was detected]
> > [Priority: 1]
> > 01/27-20:02:27.610333 172.16.2.4:33834 ->
> > 172.16.2.1:22
> > TCP TTL:64 TOS:0x0 ID:44352 IpLen:20 DgmLen:684 DF
> > ***AP*** Seq: 0x3FFCB271  Ack: 0xE2D6D162  Win: 0x16D0
> >  TcpLen: 32
> > TCP Options (3) => NOP NOP TS: 1580910 1633560
> > [Xref => http://www.securityfocus.com/bid/2347]
> > [Xref =>
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]
> >
> > [**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
> > lassification: Executable code was detected]
> > [Priority: 1]
> > 01/27-20:02:27.610333 172.16.2.4:33834 ->
> > 172.16.2.1:22
> > TCP TTL:64 TOS:0x0 ID:44352 IpLen:20 DgmLen:684 DF
> > ***AP*** Seq: 0x3FFCB271  Ack: 0xE2D6D162  Win: 0x16D0
> >  TcpLen: 32
> > TCP Options (3) => NOP NOP TS: 1580910 1633560
> > [Xref => http://www.securityfocus.com/bid/2347]
> > [Xref =>
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]
> >
> >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Send FREE Valentine eCards with Yahoo! Greetings!
> > http://greetings.yahoo.com
> >
> > ---
> > This message has been sent through the ALE general discussion list.
> > See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
> > sent to listmaster at ale dot org.
> >
> --
> James P. Kinney III   \Changing the mobile computing world/
> President and COO      \          one Linux user         /
> Local Net Solutions,LLC \           at a time.          /
> 770-493-8244             \.___________________________./
> 
> GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
> <jkinney at localnetsolutions.com>
> Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7
> 
>   ------------------------------------------------------------------------
>                        Name: signature.asc
>    signature.asc       Type: application/pgp-signature
>                 Description: This is a digitally signed message part

I have upgraded to sshV3+ via rpm -U but I get a message about mismatch
with openssl.:

OpenSSL version mismatch. Built against 90581f, you have 90602f
[FAILED]

I upgraded openssl to 0.9.6c but still get the same message when trying
to restart sshd.

I'm doing this remote on a machine that is 80miles from me and want to
be careful not to hose my connectivity.

Any suggestions?
-- 
-Michael

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.