From owner-freebsd-security  Tue Jun 25 14:10:30 2002
Delivered-To: freebsd-security@freebsd.org
Received: from eterna.binary.net (eterna.binary.net [216.229.0.25])
	by hub.freebsd.org (Postfix) with ESMTP id 1785537B400
	for <security@freebsd.org>; Tue, 25 Jun 2002 14:10:21 -0700 (PDT)
Received: from matrix.binary.net (matrix.binary.net [216.229.0.2])
	by eterna.binary.net (Postfix) with ESMTP id F138EB431F
	for <security@freebsd.org>; Tue, 25 Jun 2002 16:10:19 -0500 (CDT)
Received: by matrix.binary.net (Postfix, from userid 1021)
	id D0BA91EC204; Tue, 25 Jun 2002 16:10:19 -0500 (CDT)
Date: Tue, 25 Jun 2002 16:10:19 -0500
From: Blaine Kahle <goatee@binary.net>
To: security@freebsd.org
Subject: Re: Upcoming OpenSSH vulnerability
Message-ID: <20020625161019.A52785@matrix.binary.net>
References: <3D18C985.000067.31912@ns.interchange.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <3D18C985.000067.31912@ns.interchange.ca>; from michael@fastmail.ca on Tue, Jun 25, 2002 at 03:50:29PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, Jun 25, 2002 at 03:50:29PM -0400, Michael Richards wrote:
> >> Michael, Doug, any word on the status of this?  Have the OpenSSH
> >> developers been notified of this?
> > 
> > Reading the rest of that mail, I get the impression it was some
> > sort of dumb joke/rhetorical statement, he didn't really have an
> > exploit...
> 
> Yes, I thought it was sarcastic enough that everyone would take it as 
> that. As a result of something I saw this AM I believe it would be a 
> great idea to upgrade immediately. There is an exploit out in the 
> wild and it's been demonstrated to me. I've been spending all day 
> frantically upgrading all of our machines. Will probably be up long 
> into the night ensuring everything is up and working.

And I think it's being scanned for:

Jun 25 16:10:06 aspire sshd[26012]: scanned from 203.74.9.16 with SSH-1.0-SSH_Version_Mapper.  Don't panic.
Jun 25 16:10:06 aspire sshd[26009]: Did not receive identification string from 203.74.9.16

203.74.9.16 is APNIC.

In case you're wondering about the logged "Don't panic." message, it's
in the source:

        if (datafellows & SSH_BUG_SCANNER) {
                log("scanned from %s with %s.  Don't panic.",
                    get_remote_ipaddr(), client_version_string);
                fatal_cleanup();
        }           
                
        
This scanner triggered a warning page to me because it tied up the
default limit of 10 unauthenticated SSH sessions.


-- 
Blaine Kahle                                         blaine@binary.net
Systems Programmer                                    Binary Net, Inc.
UID 0, Zip, Zilch, Nada                                 www.binary.net
                                                            0x178AA0E0
Do not meddle in the affairs of sysadmins,
for they are quick to anger and have no need for subtlety.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message