North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Morons?

  • From: John Fraizer
  • Date: Mon Nov 02 20:49:57 1998

At 06:50 PM 11/1/98 -0500, you wrote:
>Hey morons argueing over the ssh bug, rootshell just posted an email
>advisory, they have written code on an ssh-1.2.26 exploit.  They were
>hacked via ssh, and they have stated so on their web page as well.
>
>	Dave McKay
>	[email protected]
>	Systems/Security Admin
>
>


Hello Mr. McKay.

Firstly, I do wonder where you get off addressing NANOG as morons.  Do you
suppose to be the only individual in the readership with a clue?  Before
you crotch-check yourself and belt out "hell yes," perhaps you should
re-read the email from mr Knox.  I realize that being a the hero to network
admins everywhere must take up an enormous amount of your time so, I have
included the paragraph to which I am referring:

[
Date: Sun, 1 Nov 1998 12:45:13 -0800 (PST)
From: Kit Knox <[email protected]>
X-Sender: [email protected]
To: [email protected]
Subject: [rootshell] Security Bulletin #25

<snip>

They appear to have jumped the gun slightly and do not have
working exploit code, but have found possible buffer overflows in the ssh
1.2.26 code.  Rootshell has also received further reports of exploit code
going around in various circles.  SSH Communications Security Ltd. has
evaluated this bulletin and now believes it is actually not a problem.

<snip>

]

"reports of exploit code" and actual WORKING exploits are nowhere near the
same.  Hell, some marketing people would like you to believe "reports" of
windows boxes outperforming *nix boxes on identical hardware running the
same tasks.

So, please tell all of us supposed "morons," where is the mention of the
"code on an ssh-1.2.26 exploit" that they have written?  Could you do us
the service of posting a URL or are you too busy saving us from our feeble
selves?


What I'm seeing on the webpage live and in technicolor is the same email
from IBM-ERS that was posted to NANOG with  rootshell comments added in []
to each paragraph.  There is no mention of their having a working exploit
and there is no mention of them being "hacked" via SSH.  The site states:

[ On Wed Oct 28th at 5:12AM PST the main Rootshell page was defaced by a
group of crackers. Entry to the machine was made via SSH (secure shell)
which is an encrypted interface to the machine at 04:57AM PST this morning.
Rootshell was first informed of this incident at 6:00 AM PST and the site
was immediately brought offline. The site was back up and operational by
8:00AM PST. ]

If you contend that this is being "hacked via ssh" I contend that you are
making a huge leap.  For all we know, and what I personally suspect,
another box on the net was compromised that had a valid key with empty
passphrase to login to the rootshell box.



-------
John Fraizer                      |    __   _
The System Administrator          |   / /  (_)__  __ ____  __ | The choice
mailto:[email protected] |  / /__/ / _ \/ // /\ \/ / |  of a GNU
http://www.EnterZone.Net/         | /____/_/_//_/\_,_/ /_/\_\ | Generation
                     A 486 is a terrible thing to waste...