From owner-freebsd-security Wed Nov 14 9:20:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id E07ED37B418 for ; Wed, 14 Nov 2001 09:20:24 -0800 (PST) Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001) id 94AB31DA7; Wed, 14 Nov 2001 18:20:16 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP id 0336355A2; Wed, 14 Nov 2001 18:20:15 +0100 (CET) Date: Wed, 14 Nov 2001 18:20:15 +0100 (CET) From: Krzysztof Zaraska X-Sender: kzaraska@lhotse.zaraska.dhs.org To: Rob Hurle Cc: Stefan Probst , freebsd-security@FreeBSD.ORG Subject: Re: Adore worm In-Reply-To: <20011114100516.L432-100000@freebsd.connect-a.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 14 Nov 2001, Rob Hurle wrote: > People advise ssh, but I notice that this particular attack also has a new > version of ssh to install, so I don't know about that. This may be done for two reasons: 1. To install a version of sshd that is not vulnerable to CRC attack 2. To install a trojaned version of sshd that contains a backdoor allowing remote root access, e.g. based on username. The second possibility looks more probable to me. My PLN 0.02 Regards, Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message