back to article OpenSSH exploit rumours swarm

Rumours are circulating about the active exploitation of systems running older versions of OpenSSH, the open source remote administration utility. Security watchers at the SANS Institute's Internet Storm Centre report circumstantial evidence of a mischief, including a log ostensibly showing an attack in progress, posted last …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Black Helicopters

    Is it that unrelated?

    Aren't anti-sec (who are possibly involved in the openSSh 0day) and milw0rm rather indisposed towards each other?

    Is there some big game going on here?

  2. Anonymous Coward
    Alert

    Too fresh with the post button

    Also worth noting (?) is that several hosts are said to be taking this very seriously and have disabled ssh access.

    Hostgator has certainly done this, and even claims to be patching something. Whether that just means they're updating packages or not I have no idea.

    http://forums.hostgator.com/showpost.php?p=176747&postcount=59

  3. Jeremy 2

    "Too busy with other projects to maintain..."

    Honestly, that excuse is starting to become as see-through as "I want to spend more time with my family"

  4. EdwardP
    Flame

    A little salt.

    While I'm not denying this vulnerability is possible, I do think it's worth mentioning that recently there's been a rather big jump in the number of totally unknown groups/people posting exploit "logs" with no explanation and no technical details.

    Quite a few of these have been confirmed as fake. Astalavista was supposedly hacked using a LightSpeed exploit which has now been (essentially) confirmed to be technically impossible. Another log, supposedly utilizing this SSH exploit, has been confirmed as fake; rather amusingly the sysadmin in question was hacked through a more basic flaw, and then falsified the logs in order to save face (he ran a security website)

    To be honest, even the logs themselves look rather suspect. I've seen various copies where the naming scheme and parameters have changed, and where there are obvious inaccuracies in the timestamps.

    I'm not saying it's not true, I'm saying this has all come at a very convenient time and not to believe everything you read.

  5. Anonymous Coward
    Gates Horns

    OpenSSH and Redhat devs discuss

    http://lists.mindrot.org/pipermail/openssh-unix-dev/2009-July/027730.html

  6. The Fuzzy Wotnot
    WTF?

    So another typical day on the internet then!

    Ah the wonderful ability for the internet to take a small rumour and some dodgy "evidence" and blow it out of all proportion!

    OK, wise to be safe than sorry, but all a credible security organisation has to go on is log file that might be fake, and they are crowing about OpenSSH has a major flaw? Come on , going to need a little bit more than that to go on before I start closing up shop!

  7. Gordon Ross Silver badge
    FAIL

    No s**t Sherlock

    "Red Hat Enterprise Linux ships with OpenSSH as a component and may therefore need upgrading"

    As does just about every other *nix based system.

  8. Tom Paine
    Pirate

    Black Hat

    I think what you /meant/ to say was:

    "...an exploit against older versions of OpenSSH might be presented AT Black Hat,.."

    That would be the rather well-known Black Hat / Defcom conference come party, as usual supplying silly-season fodder to liven up July *and* August. How's that for value?

    http://www.blackhat.com/html/bh-usa-09/bh-us-09-main.html

  9. EdwardP
    Flame

    @Gordon Ross - Smartarse

    RedHat ships with OpenSSH 4.3 with the patches backported in, as opposed to most other Linux distributions who now ship the latest release.

  10. Anonymous Coward
    Badgers

    Suspcious log

    This doesn't look at all right. That log (the second one linked) doesn't have an RHEL5 kernel and doesn't have the RHEL5 apache. Other things don't look quite right either. Just googling for the kernel version -- 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata -- throws up a lot of stuff about this supposed exploit.

    I'm not buying this until there's better evidence than one oft-repeated log of dubious veracity.

  11. David Eddleman
    Boffin

    Not so hard

    "Red Hat Enterprise Linux ships with OpenSSH as a component and may therefore need upgrading"

    So hard.

    yum update openssh*

    y

    Then for good measure: service sshd restart

    Ooh, so hard a monkey could even do it.

This topic is closed for new posts.

Other stories you might like