The patch is to use the "ssh" package in unstable... and I think in the security-updates.
We were using ssh-nonfree and that is vunerable. I think they released a patch and the debs have since been updated, but I'd be wary of staying with ssh-nonfree now that a hole is right there. Damn... now the messy clean up process left after numerous rootkits have been installed. We're just trying to cp -a all the files from our backups into their right places. That should solve things. If anyone has better ideas, please let me know. Sincerely, Jason ----- Original Message ----- From: "Keith Elder" <[EMAIL PROTECTED]> To: "Jason Lim" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, December 03, 2001 1:11 PM Subject: Re: Help... SSH CRC-32 compensation attack detector vulnerability > What is the patch to plug this hole? > > K. > > * Jason Lim ([EMAIL PROTECTED]) wrote: > > Reply-To: "Jason Lim" <[EMAIL PROTECTED]> > > From: "Jason Lim" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Subject: Help... SSH CRC-32 compensation attack detector vulnerability > > Date: Mon, 3 Dec 2001 09:33:07 +1100 > > X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > > > > Hi, > > > > sigh... yes... some of our servers have been hit with the "SSH CRC-32 > > compensation attack detector vulnerability" attack. > > > > some servers have been compromised, and the usual rootkit stuff (install > > root shells in /etc/inetd.conf, bogus syslogd, haxored ps, etc.). > > > > What is an easy way to locate binaries that are different from the ones > > provided in the original debs? > > > > And is there any other relatively easier way of cleaning up a system that > > has had a rootkit installed? > > > > We've done a netstat -a and removed/killed all strange processes, and > > cleaned inetd.conf as much as we can, but some of the programs in > > inetd.conf have themselves also been tampered with (eg. in.telnetd). > > > > Please help... I have a bad feeling the crackers are coming back real soon > > to really finish off the job... so any help at this time in removing all > > their crap would be greatly appreciated. > > > > Sincerely, > > Jason > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > ####################################################### > Keith Elder > Email: [EMAIL PROTECTED] > Phone: 1-734-507-1438 > Text Messaging (145 characters): [EMAIL PROTECTED] > Web: http://www.zorka.com (Howto's, News, and hosting!) > > "With enough memory and hard drive space > anything in life is psosible!" > ####################################################### > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
