From owner-freebsd-security  Sun Dec  2 13:42:29 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost.freebsd.lublin.pl (mailhost.freebsd.lublin.pl [212.182.115.12])
	by hub.freebsd.org (Postfix) with ESMTP id 2449237B417
	for <security@freebsd.org>; Sun,  2 Dec 2001 13:42:21 -0800 (PST)
Received: (from root@localhost)
	by mailhost.freebsd.lublin.pl (8.11.6/8.11.4) id fB2LgFH52212;
	Sun, 2 Dec 2001 22:42:15 +0100 (CET)
	(envelope-from venglin@freebsd.lublin.pl)
Received: from there (IDENT:venglin@clitoris.czuby.net [212.182.126.2])
	by mailhost.freebsd.lublin.pl (8.11.6/8.11.4av) with SMTP id fB2LgDf52204;
	Sun, 2 Dec 2001 22:42:14 +0100 (CET)
	(envelope-from venglin@freebsd.lublin.pl)
Message-Id: <200112022142.fB2LgDf52204@mailhost.freebsd.lublin.pl>
Content-Type: text/plain;
  charset="iso-8859-2"
From: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Organization: czuby.net
To: slamdunk <slamdunk@neophile.net>, security@freebsd.org
Subject: Re: Is this an attempt on SSH hack?
Date: Sun, 2 Dec 2001 22:42:13 +0100
X-Mailer: KMail [version 1.3.1]
References: <5.1.0.14.2.20011202213039.00a99d88@mail.btinternet.com>
In-Reply-To: <5.1.0.14.2.20011202213039.00a99d88@mail.btinternet.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: by AMaViS perl-10
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sunday 02 December 2001 22:39, slamdunk wrote:

> Dec 2 01:02:45 www sshd[15029]: fatal: Local: Corrupted

Yes, this is attempt to exploit remote CRC32 integer overflow. Probably it 
wasn't successful if logs were not removed.

> Running SSH Version OpenSSH-1.2.2, protocol version 1.5.
> Compiled with SSL.
> Need I be worried?

This version of OpenSSH is definitely vulnerable, but circulating exploits 
probably doesn't 'support' it. Please upgrade as soon as possible to at least 
OpenSSH 2.3.0.

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message