Date: Tue, 23 Oct 2001 13:17:21 -0400 (EDT)
From: Max Parke <[email protected]>
To: [email protected]Subject: SSH deja vu
Sorry if this is already a known issue.
When the vulnerabilities in ssh-1.xx were publicised, we upgraded to
ssh-2.xx on our machines. The process for ssh version 2.xx does NOT
erase sshd1 from /usr/local/sbin, and if an incoming client is still
running the old ssh version 1, sshd2 will hand off control to
/usr/local/sbin/sshd1 (of course, this can be disabled).
It appears that if your old sshd from version 1 was vulnerable before
installing ssh version 2, YOU ARE STILL VULNERABLE. We have
information that this problem is currently being actively exploited,
and scans for vulnerable machines are being conducted.
Messages such as the following (note: sshd, not sshd2) indicate that a
scan may be in progress:
sshd[6169]: fatal: Local: Corrupted check bytes on input.
sshd[6253]: fatal: Local: crc32 compensation attack: network attack
detected
