Date: Thu, 22 Nov 2001 12:21:47 -0300 From: Fernan Aguero <fernan@iib.unsam.edu.ar> To: Michael Richards <michael@fastmail.ca> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Odd sshd messages Message-ID: <20011122122147.A11367@iib005.iib.unsam.edu.ar> In-Reply-To: <3BFCF73E.000001.96546@frodo.searchcanada.ca>; from michael@fastmail.ca on Thu, Nov 22, 2001 at 08:01:50AM -0500 References: <3BFCF73E.000001.96546@frodo.searchcanada.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
This is documented at http://www.cert.org/incident_notes/IN-2001-12.html Quoting it: Exploitation of vulnerability in SSH1 CRC-32 compensation attack detector Original release Date: November 5, 2001 Last revised: November 7, 2001 I. Overview The CERT/CC has received multiple reports of systems being compromised via the CRC-32 compensation attack detector vulnerability described in VU#945216. We are also receiving reports of increased scanning activity for the SSH service (22/tcp). II. Description In reports received by the CERT/CC, systems compromised via this vulnerablity have exhibited the following pattern in system log messages: hostname sshd[xxx]: Disconnecting: Corrupted check bytes on input. hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network attack detected hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network attack detected ... The exploit for this vulnerability appears to use a brute force method, so many messages of this type may be logged before a system is successfully compromised. ... and goes on. Read the document for suggested solutions, basically - apply a patch - disable SSHv1 fallback support - restrict use of SSH service (until a patch can be applied) Fernan +----[ Michael Richards (michael@fastmail.ca) dijo sobre "Odd sshd messages": | | I've been getting a number of odd sshd messages. I do not believe my | sshd is vulnerable to any exploits. Here is what I see: | | Nov 21 16:50:16 frodo sshd[2950]: fatal: Local: Corrupted check bytes | on input. | Nov 21 16:50:40 frodo sshd[2962]: fatal: Local: Corrupted check bytes | on input. | Nov 21 16:50:44 frodo sshd[2967]: fatal: Local: Corrupted check bytes | on input. | Nov 21 16:51:02 frodo sshd[2992]: fatal: Local: Corrupted check bytes | on input. | Nov 21 16:51:06 frodo sshd[3001]: fatal: Local: Corrupted check bytes | on input. | | May just be a bogus client, but it may also be someone hammering at | the back door. | | I'm running: | sshd version OpenSSH_2.3.0 | | -Michael | _________________________________________________________________ | http://fastmail.ca/ - Fast Free Web Email for Canadians | +----] -- | F e r n a n A g u e r o | B i o i n f o r m a t i c s | | fernan@iib.unsam.edu.ar | genoma.unsam.edu.ar | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011122122147.A11367>