[Dshield] SSH Clarifications
Johannes B. Ullrich
jullrich at euclidian.com
Thu Nov 8 22:51:21 GMT 2001
-----BEGIN PGP SIGNED MESSAGE-----
Before people get too excited, some background on SSH:
In February, a remote exploit was found in ssh. (CRC Compensation
Attack etector Vulnerability). Most ssh implementations where
effected by it (F-secure, Openssh, ssh.com ssh) at the time.
This vulnerability would allow remote attacker to obtain 'root'
privileges. Initially, it was assumed that this vulnerability is
hard to exploit. Vendors made patched versions of ssh available
shortly after the vulnerability was announced.
A few weeks back, rumors surfaced that someone is offering an
exploit for this vulnerability for sale (see:
So it is bascially just a question of time, when someone will
wrap this exploit into a worm and unleash it. The impact is
a bit hard to predict, but ssh is used quite commonly and we
all know how well people are about updating their systems.
The data we have so far does show some increase in scanning for the last
day. However, in order to confirm that this is actually a worm, and not
just a few kiddies playing with ssh, we need the actual worm code to prove
that infected machines are probing themselve to find and infect other
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list