Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Jun 2002 16:10:19 -0500
From:      Blaine Kahle <goatee@binary.net>
To:        security@freebsd.org
Subject:   Re: Upcoming OpenSSH vulnerability
Message-ID:  <20020625161019.A52785@matrix.binary.net>
In-Reply-To: <3D18C985.000067.31912@ns.interchange.ca>; from michael@fastmail.ca on Tue, Jun 25, 2002 at 03:50:29PM -0400
References:  <3D18C985.000067.31912@ns.interchange.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Jun 25, 2002 at 03:50:29PM -0400, Michael Richards wrote:
> >> Michael, Doug, any word on the status of this?  Have the OpenSSH
> >> developers been notified of this?
> > 
> > Reading the rest of that mail, I get the impression it was some
> > sort of dumb joke/rhetorical statement, he didn't really have an
> > exploit...
> 
> Yes, I thought it was sarcastic enough that everyone would take it as 
> that. As a result of something I saw this AM I believe it would be a 
> great idea to upgrade immediately. There is an exploit out in the 
> wild and it's been demonstrated to me. I've been spending all day 
> frantically upgrading all of our machines. Will probably be up long 
> into the night ensuring everything is up and working.

And I think it's being scanned for:

Jun 25 16:10:06 aspire sshd[26012]: scanned from 203.74.9.16 with SSH-1.0-SSH_Version_Mapper.  Don't panic.
Jun 25 16:10:06 aspire sshd[26009]: Did not receive identification string from 203.74.9.16

203.74.9.16 is APNIC.

In case you're wondering about the logged "Don't panic." message, it's
in the source:

        if (datafellows & SSH_BUG_SCANNER) {
                log("scanned from %s with %s.  Don't panic.",
                    get_remote_ipaddr(), client_version_string);
                fatal_cleanup();
        }           
                
        
This scanner triggered a warning page to me because it tied up the
default limit of 10 unauthenticated SSH sessions.


-- 
Blaine Kahle                                         blaine@binary.net
Systems Programmer                                    Binary Net, Inc.
UID 0, Zip, Zilch, Nada                                 www.binary.net
                                                            0x178AA0E0
Do not meddle in the affairs of sysadmins,
for they are quick to anger and have no need for subtlety.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020625161019.A52785>