SSH compromised?

sneakyimp

i found this article pretty interesting:

http://www.nytimes.com/2005/05/10/technology/10cisco.html?ei=5065&en=0871aec1c2d2e970&ex=1116302400&partner=MYWAY&pagewanted=print&position=

Does anyone know how to determine if your computer/server have been compromised? anyone heard about this? i use SSH all day long.

goldbug

Originally posted by sneakyimp
Does anyone know how to determine if your computer/server have been compromised? anyone heard about this? i use SSH all day long.

Unfortunately that article is a tad light on technical details...but nowhere in it does it state that SSH itself was directly compromised.

The intruder probed computers for vulnerabilities that allowed the installation of the corrupted program, known as a Trojan horse, in place of the legitimate program.

Doesn't really say if it was SSH that was vulnerable, or another daemon that allowed root access/installation of trojaned sshd. (My money is on sendmail)

I guess we'll have to wait for CERT or Secunia or whoever to catch wind :/

The operation took advantage of the vulnerability of Internet-connected computers whose security software had not been brought up to date.

Sounds like whatever it was has been patched already, it's just another case of outdated software being vulnerable.

sneakyimp

i kinda got the impression that one link in the hack process would have to be server-type computers that were vulnerable. not sure where i got that notion. i guess if you hack some unsuspecting rube's windoze machine and get his server password, then you can get at his server. if he's root, then you can corrupt SSH on the server and get everybody's password, etc.

yeah, i guess we'll need to wait. what is CERT? or Secunia? If anyone hears anything, maybe you could let us know here? i was coding something around phpBB when the whole Santy thing came out and i kinda freaked.

goldbug

Originally posted by sneakyimp
what is CERT? or Secunia?

Security-related advisory sites:
CERT
Secunia

sneakyimp

THANKS!