On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote: > (This version of the message sent to you personally in the off chance > that you're not subscribed to debian-security@lists.debian.org; sorry > for not doing it via Cc:, but I forgot.) > > On Fri, 13 Jun 2003 14:18:44 -0400 > Tim Peeler <[EMAIL PROTECTED]> wrote: > > In the last 4-5 days we have had 8 servers come under attack. We are > > working frantically to keep ahead of these attacks. We have come to the > > conclusion that the SSH in woody is likely vulnerable. Of the 8 servers > > that have been broken into, half of them are running 2.2.20 and half > > are running 2.4.18. We have been updating all servers to 2.4.21-rc8. > > We are ruling out a kernel exploit because of this. Of the servers > > attacked, one was only running sshd (from woody). We have not had time > > to analyze where the exploit occurs in sshd, but we are very confident > > that this is the location of the exploit. We have begun upgrading to > > a backport of the testing version of ssh which appears to be helping. > > Could you provide your /etc/ssh/sshd_config, the version of your "ssh" > package, and the output from 'debsums ssh'? Thanks. >
sshd_config for comprimized server attached, as well as the output of debsums ssh SSH Version: 3.4p1-1 Just for information, these failed the global check: bin/cp FAILED bin/dd FAILED bin/df FAILED bin/dir FAILED bin/ln FAILED bin/ls FAILED bin/mv FAILED bin/rm FAILED bin/su FAILED bin/ping FAILED bin/ps FAILED bin/kill FAILED bin/date FAILED bin/echo FAILED bin/pwd FAILED bin/tar FAILED bin/tcsh FAILED bin/cat FAILED
# Package generated configuration file # See the sshd(8) manpage for defails # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2,1 # HostKeys for protocol version 1 HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 600 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # rhosts authentication should not be used RhostsAuthentication no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes # Use PAM authentication via keyboard-interactive so PAM modules can # properly interface with the user PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes X11Forwarding no X11DisplayOffset 10 PrintMotd no #PrintLastLog no KeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /usr/lib/sftp-server #UsePrivilegeSeparation yes AllowUsers root cjf linforce afradm afrjradm ave dave
usr/bin/ssh OK usr/bin/scp OK usr/bin/ssh-add OK usr/bin/ssh-agent OK usr/bin/ssh-keygen OK usr/bin/ssh-keyscan OK usr/bin/sftp OK usr/bin/ssh-copy-id OK usr/sbin/sshd OK usr/lib/ssh-keysign OK usr/lib/sftp-server OK usr/share/man/man1/scp.1.gz OK usr/share/man/man1/ssh-agent.1.gz OK usr/share/man/man1/ssh-keygen.1.gz OK usr/share/man/man1/ssh-keyscan.1.gz OK usr/share/man/man1/sftp.1.gz OK usr/share/man/man1/ssh-copy-id.1.gz OK usr/share/man/man1/ssh.1.gz OK usr/share/man/man1/ssh-add.1.gz OK usr/share/man/man8/ssh-keysign.8.gz OK usr/share/man/man8/sshd.8.gz OK usr/share/man/man8/sftp-server.8.gz OK usr/share/man/man5/ssh_config.5.gz OK usr/share/man/man5/sshd_config.5.gz OK usr/share/doc/ssh/README OK usr/share/doc/ssh/changelog.gz OK usr/share/doc/ssh/copyright OK usr/share/doc/ssh/RFC.gz OK usr/share/doc/ssh/OVERVIEW.gz OK usr/share/doc/ssh/README.Debian.gz OK usr/share/doc/ssh/changelog.Debian.gz OK
