On Tue, Jun 17, 2003 at 11:41:20PM +0200, Florian Weimer wrote:
>
> Anyway, I just wanted to make sure that you investigate other
> weaknesses than the SSH1 implementation. It's my gut feeling based on
> the facts you have mentioned that another explanation is far more
> likely.
Certainly, we ha
On Tue, Jun 17, 2003 at 11:41:20PM +0200, Florian Weimer wrote:
>
> Anyway, I just wanted to make sure that you investigate other
> weaknesses than the SSH1 implementation. It's my gut feeling based on
> the facts you have mentioned that another explanation is far more
> likely.
Certainly, we ha
On Tue, 17 Jun 2003 21:34:32 +0200, Florian Weimer wrote:
>Nick Boyce <[EMAIL PROTECTED]> writes:
>
>>>These attacks require wiretapping and traffic
>>>manipulation capabilities.
>>
>> I'd be interested if you could expand on this - do you mean a
>> connection to the victim's LAN is necessary ?
On Tue, 17 Jun 2003 21:34:32 +0200, Florian Weimer wrote:
>Nick Boyce <[EMAIL PROTECTED]> writes:
>
>>>These attacks require wiretapping and traffic
>>>manipulation capabilities.
>>
>> I'd be interested if you could expand on this - do you mean a
>> connection to the victim's LAN is necessary ?
Tim Peeler <[EMAIL PROTECTED]> writes:
> As we have yet to see any indication that this is related to the crc32
> compensation detector yet, I'm finding it more and more difficult
> to believe that this was truely the problem.
Yes, indeed. This particular problem has been fixed, but there are
ot
On Tue, Jun 17, 2003 at 09:45:28PM +0200, Florian Weimer wrote:
> Tim Peeler <[EMAIL PROTECTED]> writes:
>
> > I've done some research and have seen reports on several "kits"
> > available to exploit the SSH1 protocol.
>
> Can you send me a few links? I can only remember attacks which
> required
Tim Peeler <[EMAIL PROTECTED]> writes:
> As we have yet to see any indication that this is related to the crc32
> compensation detector yet, I'm finding it more and more difficult
> to believe that this was truely the problem.
Yes, indeed. This particular problem has been fixed, but there are
ot
Tim Peeler <[EMAIL PROTECTED]> writes:
> I've done some research and have seen reports on several "kits"
> available to exploit the SSH1 protocol.
Can you send me a few links? I can only remember attacks which
required (a) eavesdropping, (b) huge amounts of traffic (you would
have noticed it), (
Nick Boyce <[EMAIL PROTECTED]> writes:
>>These attacks require wiretapping and traffic
>>manipulation capabilities.
>
> I'd be interested if you could expand on this - do you mean a
> connection to the victim's LAN is necessary ?
LAN or WAN. Actually, access to any transmission link suffices.
On Tue, Jun 17, 2003 at 09:45:28PM +0200, Florian Weimer wrote:
> Tim Peeler <[EMAIL PROTECTED]> writes:
>
> > I've done some research and have seen reports on several "kits"
> > available to exploit the SSH1 protocol.
>
> Can you send me a few links? I can only remember attacks which
> required
Tim Peeler <[EMAIL PROTECTED]> writes:
> I've done some research and have seen reports on several "kits"
> available to exploit the SSH1 protocol.
Can you send me a few links? I can only remember attacks which
required (a) eavesdropping, (b) huge amounts of traffic (you would
have noticed it), (
Nick Boyce <[EMAIL PROTECTED]> writes:
>>These attacks require wiretapping and traffic
>>manipulation capabilities.
>
> I'd be interested if you could expand on this - do you mean a
> connection to the victim's LAN is necessary ?
LAN or WAN. Actually, access to any transmission link suffices.
On Sun, Jun 15, 2003 at 09:01:00AM +0200, Florian Weimer wrote:
> Tim Peeler <[EMAIL PROTECTED]> writes:
>
> > I've come to the conclusion that the SSH1 protocol is the most
> > likely cause of this problem.
>
> Attacks on the SSH v1 protocol are relatively sophisticated. It's
> more likely that
On Sun, Jun 15, 2003 at 09:01:00AM +0200, Florian Weimer wrote:
> Tim Peeler <[EMAIL PROTECTED]> writes:
>
> > I've come to the conclusion that the SSH1 protocol is the most
> > likely cause of this problem.
>
> Attacks on the SSH v1 protocol are relatively sophisticated. It's
> more likely that
On Sun, 15 Jun 2003 09:01:00 +0200, Florian Weimer wrote:
>Tim Peeler <[EMAIL PROTECTED]> writes:
>
>> I've come to the conclusion that the SSH1 protocol is the most
>> likely cause of this problem.
>
>Attacks on the SSH v1 protocol are relatively sophisticated. It's
>more likely that some token
On Sun, 15 Jun 2003 09:01:00 +0200, Florian Weimer wrote:
>Tim Peeler <[EMAIL PROTECTED]> writes:
>
>> I've come to the conclusion that the SSH1 protocol is the most
>> likely cause of this problem.
>
>Attacks on the SSH v1 protocol are relatively sophisticated. It's
>more likely that some token
Tim Peeler <[EMAIL PROTECTED]> writes:
> I've come to the conclusion that the SSH1 protocol is the most
> likely cause of this problem.
Attacks on the SSH v1 protocol are relatively sophisticated. It's
more likely that some token used for authentication (password, RSA or
DSA key) has leaked, tha
Tim Peeler <[EMAIL PROTECTED]> writes:
> I've come to the conclusion that the SSH1 protocol is the most
> likely cause of this problem.
Attacks on the SSH v1 protocol are relatively sophisticated. It's
more likely that some token used for authentication (password, RSA or
DSA key) has leaked, tha
On Sat, Jun 14, 2003 at 03:28:49AM +0100, Nick Boyce wrote:
> On Fri, 13 Jun 2003 17:52:21 -0400, Tim Peeler wrote:
>
> >On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
> >>
> >> On Fri, 13 Jun 2003 14:18:44 -0400
> >> Tim Peeler <[EMAIL PROTECTED]> wrote:
> >> > In the last 4-5 d
On Sat, Jun 14, 2003 at 03:28:49AM +0100, Nick Boyce wrote:
> On Fri, 13 Jun 2003 17:52:21 -0400, Tim Peeler wrote:
>
> >On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
> >>
> >> On Fri, 13 Jun 2003 14:18:44 -0400
> >> Tim Peeler <[EMAIL PROTECTED]> wrote:
> >> > In the last 4-5 d
On Fri, 13 Jun 2003 17:52:21 -0400, Tim Peeler wrote:
>On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
>>
>> On Fri, 13 Jun 2003 14:18:44 -0400
>> Tim Peeler <[EMAIL PROTECTED]> wrote:
>> > In the last 4-5 days we have had 8 servers come under attack. We are
>> > working frantica
On Fri, 13 Jun 2003 17:52:21 -0400, Tim Peeler wrote:
>On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
>>
>> On Fri, 13 Jun 2003 14:18:44 -0400
>> Tim Peeler <[EMAIL PROTECTED]> wrote:
>> > In the last 4-5 days we have had 8 servers come under attack. We are
>> > working frantica
On Fri, Jun 13, 2003 at 05:52:21PM -0400, Tim Peeler wrote:
> Just for information, these failed the global check:
> bin/cp FAILED
> bin/dd FAILED
> bin/df FAILED
> bin/dir FAILED
> bin/ln FAILED
> bin/ls FAILED
> bin/mv FAILED
> bin/rm FAILED
> bin/su FAILED
> bin/ping FAILED
> bin/ps FAILED
> bin
Followup:
This has caused problems on some of our old potato systems as well.
It appears to be a worm with the speed in which it spread.
On Fri, Jun 13, 2003 at 02:18:44PM -0400, Tim Peeler wrote:
> In the last 4-5 days we have had 8 servers come under attack. We are
> working frantically
On Fri, Jun 13, 2003 at 05:52:21PM -0400, Tim Peeler wrote:
> Just for information, these failed the global check:
> bin/cp FAILED
> bin/dd FAILED
> bin/df FAILED
> bin/dir FAILED
> bin/ln FAILED
> bin/ls FAILED
> bin/mv FAILED
> bin/rm FAILED
> bin/su FAILED
> bin/ping FAILED
> bin/ps FAILED
> bin
On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
> (This version of the message sent to you personally in the off chance
> that you're not subscribed to debian-security@lists.debian.org; sorry
> for not doing it via Cc:, but I forgot.)
>
> On Fri, 13 Jun 2003 14:18:44 -0400
> Tim Pe
On Fri, 13 Jun 2003 14:18:44 -0400
Tim Peeler <[EMAIL PROTECTED]> wrote:
> In the last 4-5 days we have had 8 servers come under attack. We are
> working frantically to keep ahead of these attacks. We have come to the
> conclusion that the SSH in woody is likely vulnerable. Of the 8 servers
> th
Tim Peeler <[EMAIL PROTECTED]> writes:
> In the last 4-5 days we have had 8 servers come under attack.
Any trust relationships between these servers? Which SSH
authentication method do you use?
Followup:
This has caused problems on some of our old potato systems as well.
It appears to be a worm with the speed in which it spread.
On Fri, Jun 13, 2003 at 02:18:44PM -0400, Tim Peeler wrote:
> In the last 4-5 days we have had 8 servers come under attack. We are
> working frantically
On Fri, Jun 13, 2003 at 05:15:28PM -0400, David B Harris wrote:
> (This version of the message sent to you personally in the off chance
> that you're not subscribed to [EMAIL PROTECTED]; sorry
> for not doing it via Cc:, but I forgot.)
>
> On Fri, 13 Jun 2003 14:18:44 -0400
> Tim Peeler <[EMAIL PR
On Fri, 13 Jun 2003 14:18:44 -0400
Tim Peeler <[EMAIL PROTECTED]> wrote:
> In the last 4-5 days we have had 8 servers come under attack. We are
> working frantically to keep ahead of these attacks. We have come to the
> conclusion that the SSH in woody is likely vulnerable. Of the 8 servers
> th
TIm,
If I were in your shoes, the first thing i'd do is set up a small
honeypot
with a similar configuration to your other machines. Run the same services,
as you have running on your other woody boxen, but just don't use it for
anything. This way it will appear like 'just another one'
On Fri, Jun 13, 2003 at 02:18:44PM -0400, Tim Peeler remarked:
> In the last 4-5 days we have had 8 servers come under attack.
> We are working frantically to keep ahead of these attacks. We
> have come to the conclusion that the SSH in woody is likely
> vulnerable. Of the 8 servers that have bee
Tim Peeler <[EMAIL PROTECTED]> writes:
> In the last 4-5 days we have had 8 servers come under attack.
Any trust relationships between these servers? Which SSH
authentication method do you use?
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EM
TIm,
If I were in your shoes, the first thing i'd do is set up a small honeypot
with a similar configuration to your other machines. Run the same services,
as you have running on your other woody boxen, but just don't use it for
anything. This way it will appear like 'just another one' t
On Fri, Jun 13, 2003 at 02:18:44PM -0400, Tim Peeler remarked:
> In the last 4-5 days we have had 8 servers come under attack.
> We are working frantically to keep ahead of these attacks. We
> have come to the conclusion that the SSH in woody is likely
> vulnerable. Of the 8 servers that have bee
36 matches
Mail list logo
