From owner-freebsd-security Thu Nov 22 9: 4:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from lila.inti.gov.ar (lila.inti.gov.ar [200.10.161.32]) by hub.freebsd.org (Postfix) with ESMTP id 8573D37B405 for ; Thu, 22 Nov 2001 09:04:40 -0800 (PST) Received: from nav.inti.gov.ar ([200.10.161.45]) by lila.inti.gov.ar with smtp (Exim 3.02 #1) id 166ve8-0005r7-00 for freebsd-security@FreeBSD.ORG; Thu, 22 Nov 2001 12:20:12 -0300 Received: from iib005.iib.unsam.edu.ar ([200.3.113.15]) by NAV.inti.gov.ar (NAVGW 2.5.1.12) with SMTP id M2001112212273410456 ; Thu, 22 Nov 2001 12:27:35 -0300 Received: (from fernan@localhost) by iib005.iib.unsam.edu.ar (8.11.3/8.11.3) id fAMFLmM11686; Thu, 22 Nov 2001 12:21:48 -0300 (ART) (envelope-from fernan) Date: Thu, 22 Nov 2001 12:21:47 -0300 From: Fernan Aguero To: Michael Richards Cc: freebsd-security@FreeBSD.ORG Subject: Re: Odd sshd messages Message-ID: <20011122122147.A11367@iib005.iib.unsam.edu.ar> References: <3BFCF73E.000001.96546@frodo.searchcanada.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3BFCF73E.000001.96546@frodo.searchcanada.ca>; from michael@fastmail.ca on Thu, Nov 22, 2001 at 08:01:50AM -0500 X-PGP-Key: http://genoma.unsam.edu.ar/~fernan/pubkey.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is documented at http://www.cert.org/incident_notes/IN-2001-12.html Quoting it: Exploitation of vulnerability in SSH1 CRC-32 compensation attack detector Original release Date: November 5, 2001 Last revised: November 7, 2001 I. Overview The CERT/CC has received multiple reports of systems being compromised via the CRC-32 compensation attack detector vulnerability described in VU#945216. We are also receiving reports of increased scanning activity for the SSH service (22/tcp). II. Description In reports received by the CERT/CC, systems compromised via this vulnerablity have exhibited the following pattern in system log messages: hostname sshd[xxx]: Disconnecting: Corrupted check bytes on input. hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network attack detected hostname sshd[xxx]: Disconnecting: crc32 compensation attack: network attack detected ... The exploit for this vulnerability appears to use a brute force method, so many messages of this type may be logged before a system is successfully compromised. ... and goes on. Read the document for suggested solutions, basically - apply a patch - disable SSHv1 fallback support - restrict use of SSH service (until a patch can be applied) Fernan +----[ Michael Richards (michael@fastmail.ca) dijo sobre "Odd sshd messages": | | I've been getting a number of odd sshd messages. I do not believe my | sshd is vulnerable to any exploits. Here is what I see: | | Nov 21 16:50:16 frodo sshd[2950]: fatal: Local: Corrupted check bytes | on input. | Nov 21 16:50:40 frodo sshd[2962]: fatal: Local: Corrupted check bytes | on input. | Nov 21 16:50:44 frodo sshd[2967]: fatal: Local: Corrupted check bytes | on input. | Nov 21 16:51:02 frodo sshd[2992]: fatal: Local: Corrupted check bytes | on input. | Nov 21 16:51:06 frodo sshd[3001]: fatal: Local: Corrupted check bytes | on input. | | May just be a bogus client, but it may also be someone hammering at | the back door. | | I'm running: | sshd version OpenSSH_2.3.0 | | -Michael | _________________________________________________________________ | http://fastmail.ca/ - Fast Free Web Email for Canadians | +----] -- | F e r n a n A g u e r o | B i o i n f o r m a t i c s | | fernan@iib.unsam.edu.ar | genoma.unsam.edu.ar | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message