Page 1 of 2 12 LastLast
Results 1 to 40 of 65
  1. #1
    Join Date
    May 2006
    Posts
    1,398

    Exclamation Heads up - Openssh 4.3* 0day

    Note: I thought I posted this yesterday, either I forgot to hit submit or a mod deleted it for some reason, if mods dont want this thread up lemme know

    I have heard this from a reliabl;e source. Was a recent pretty big site that got hacked, they had a forensic speciliast come in and recover the partitons and such. There is like 500 mb of logs and such related to the hack and I have some info on it. It all started at openssh, not a password login either. The hacker was able to exploit ssh and get in without even showing up as system user somehow.

    As far as getting the exploit and exact strings used it was not possible as it is encypted ssh traffic. If someone really knows how to decrypt or read that then I can get you the logs.

    Anyway, one of the staff of the site that got hacked- his personal server was hacked with same method, after he upgraded to the latest version of ssh they wanst able to get back in.

    So there is defintely an SSH 0day, the current Centos/RHEL SSh versions are all vulnerable. To be on the safe side I advise everyone to upgrade via source or a newer package if you can find one.

    One easy way to do it is using the update script from directadmin forums - http://directadmin.com/forum/showthread.php?t=22587 It will work on cpanel servers or any other server as well, is not control panel related. I successfully upgraded mine.

    IN yum.conf you need to add *SSH* to the excludes so it doesnt get overwrote with yum update.

    I guess I would consider this still a rumor as far as public opinion goes but from what I have seen and heard from various people it is true. it doesnt hurt anything to upgrade so why not to be on the safe side?

    If anyone else has any info on this post on it.
      0 Not allowed!

  2. #2
    Join Date
    Apr 2006
    Location
    United Kingdom
    Posts
    609
    Thanks for the information. I haven't heard anything about this so it may just be a rumour, still it's better to be safe than sorry as you say.
    John Slane | Systems Administrator
      0 Not allowed!

  3. #3
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    22,642
    Quote Originally Posted by felosi View Post
    I forgot to hit submit
    Or on another forum perhaps. Nothing we did.
    Thanks for the heads up, and if you spot anything further about this, by all means add it.
    Having problems, or maybe questions about WHT? Head over to the help desk!
      0 Not allowed!

  4. #4
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,080
    Interesting.

    Did they post details anywhere else or notify any vendors or those that were hacked holding the details close?
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service
      0 Not allowed!

  5. #5
    Join Date
    May 2006
    Posts
    1,398
    well, the hackers sure aren't gonna notify the vendor, they are some group who is against anyone advocating people secure and update their boxes, or anyone posting security advisories, security tutorials, etc. I guess they think everyone should leave the internet vulnerable just for them.

    Here is a pcap log of the exploit being used. It is encrypted SSH traffic though so I doubt it is of any use.

    The people I heard this from are reliable sources and say they are 100% positive it is an openssh 4.3 exploit, they said updating to the latest version kept the hackers from getting back in. There is a chance they are wrong but even a rumor of an ssh exploit will have me upgrading.

    Sometimes, well most of the time, RHEL team is slow on updates and Centos is even slower because they have to wait on them and it takes them around a week or two to make it a centos package so even if they knew it would take some time to get it fixed. A lot of the versions on RHEL software has made me nervous in the past. I do understand it is all about stability and all but I think they should upgrade versions more often instead of just throwing a few patches together on the same version.

    From what I have gathered this same hacker group has hacked centos 4 and centos 5 boxes this way. There is a possible exploit on the 2.6.18* RHEL kernels as well. But they did recently release an update so that may have been fixed. I will still run the latest grsecurity to try and be somewhat safe.

    Of course we can never make an unhackable server but we cant let people scare us into not trying to keep each other informed. So I guess everyone can just continue to do what they can and hope for the best
    Attached Files Attached Files
      0 Not allowed!

  6. #6
    Join Date
    Apr 2001
    Location
    Pittsburgh, PA
    Posts
    1,303
    You do realize OpenSSH 4.3 was released 3.5 years ago?

    http://www.openssh.org/security.html

    Kevin
      0 Not allowed!

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,267
    Quote Originally Posted by sigma View Post
    You do realize OpenSSH 4.3 was released 3.5 years ago?

    http://www.openssh.org/security.html

    Kevin
    Yes. Redhat backports patches into old versions.

    [email protected] [~]# rpm -qa |grep openssh
    openssh-clients-4.3p2-29.el5
    openssh-4.3p2-29.el5
    openssh-server-4.3p2-29.el5


    Centos 5 machine
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    Managed Servers (AS62710), Server Management, and Security Auditing.
      0 Not allowed!

  8. #8
    Will it affect server that doesn't use the default ssh port?

    -joseph
      0 Not allowed!

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,267
    Quote Originally Posted by Mxhub View Post
    Will it affect server that doesn't use the default ssh port?

    -joseph
    potentially if someone gets your ssh port.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    Managed Servers (AS62710), Server Management, and Security Auditing.
      0 Not allowed!

  10. #10
    Quote Originally Posted by Steven View Post
    potentially if someone gets your ssh port.
    - Remind me of getting some anti-port scanning tool .



    -joseph
      0 Not allowed!

  11. #11
    Join Date
    Mar 2008
    Posts
    1,717
    If I had to hazard a guess, I'd say that the machine was rooted prior to the attack, and that sshd was backdoored... hence them logging in easily and not showing up in wtmp/utmp/whatever. That would also explain why upgrading from source apparently fixed the problem - it probably nuked the backdoor.

    Personally I don't know who your trusted source is, but there's some pretty big sites out there running CentOS and chances are good there'd be bigger fish to fry if someone had a zero-day of that caliber. I wouldn't completely rule it out of course, but still...
    I used to run the oldest commercial Mumble host.
      0 Not allowed!

  12. #12
    Join Date
    May 2006
    Posts
    1,398
    First off no one claimed to be any security expert. I merely stated I heard this from someone who was hacked this way and had heard it from a few other reliable people as well.

    Also I said better safe then sorry and that I believed the people I heard it from, I did not state it was fact. Also, I'm sure you don't know who I heard it from in the first place Jason.

    Amazing how someone dying to get in a thread and posts insults wont even read the original post...

    But also it would be nice to find out it is just a rumor which it may be.

    Anyway, that is what this forum is for, even if something was heard through the grapevine or whatever that may effect a lot of people what is the harm in posting it? I dont get it lol pseudo security experts, Anyone who knows me know I NEVER claim to be an expert in security
    Last edited by jon-f; 07-04-2009 at 02:20 AM.
      0 Not allowed!

  13. #13
    Quote Originally Posted by felosi View Post
    First off no one claimed to be any security expert. I merely stated I heard this from someone who was hacked this way and had heard it from a few other reliable people as well.

    Also I said better safe then sorry and that I believed the people I heard it from, I did not state it was fact. Also, I'm sure you don't know who I heard it from in the first place Jason.

    Amazing how someone dying to get in a thread and posts insults wont even read the original post...
    hm, just gona put a shot in the dark here, nowayout the security expert! aka 'glafkos' and (but not limited too) astalavista staff?
      0 Not allowed!

  14. #14
    Join Date
    May 2006
    Posts
    1,398
    Quote Originally Posted by HRDev Jason View Post
    hm, just gona put a shot in the dark here, nowayout the security expert! aka 'glafkos' and (but not limited too) astalavista staff?
    No but is one of the people I heard it from. Supposedly the pcap log shows the exploit in action. I dont host him either.

    Quote Originally Posted by HRDev Hady View Post
    Yes, but you're still kicking up a fuss and worrying people although it's completely unnecessary. Where's the proof they were 'hacked this way' besides what some pseudo-security expert believes happened?
    Point taken, my goal was not to worry people but I figured it was worth posting and let people make their own minds up.

    Oh and I wouldnt have just posted a rumor But I know the one people did have a forensic specialist come in and that was their conclusion on it.

    of course it can all be wrong and just rumor, I hope it is.
      0 Not allowed!

  15. #15
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    Well with the smoke the other week regarding ssh, I wouldn't dis this claim totally.

    Just keep ssh restricted to only networks that you want to access it and your safe (from an ssh exploit), as always, if you can't get to it there is no chance of being hacked at all. Those with shared access to ssh on port 22, then I guess you need to either make decision to recompile or keep your eyes on notice boards for any disclosure or confirmed case.
      0 Not allowed!

  16. #16
    Join Date
    Jul 2002
    Location
    Tasmania, Australia
    Posts
    34,649
    Thread reopened, if you can't post without throwing insults around, then go play outside, we won't have that sort of talk here.
    If you don’t like the road you’re walking on, start paving a new one.
      0 Not allowed!

  17. #17
    Join Date
    May 2006
    Posts
    1,398
    I do want to post that I did not mean to alarm anyone. This very well could be a rumor as I have not seen the exploit or any kind of logfile I can read showing it happen. I apologize for posting this in the first place but I thought it would be good to at least post what I have heard and let people make up their minds I did believe the people that told me but that doesn't make it fact.

    I always assume in cases like this it is best to at least give a heads up to a possible dangerous exploit and see if anyone else has heard about it. But as of now I will have to say this is unconfirmed and possibly just a rumor
      0 Not allowed!

  18. #18
    Join Date
    Mar 2008
    Posts
    1,717
    Felosi: Was the "security expert" site the one compromised? If so, there's been a rash of that stuff going around a while back and they could be at it again (google "zero for 0wned" or zf0) and I definitely wouldn't rule out a zero-day by any stretch of the imagination.

    If it's just some random site and forensics group came in and said "yup, ssh 0-day" after a few hours of tinkering then collected a check, I'd make a mental note to never hire them... because the backdoor scenario I wrote about above sounds much much more likely and would be my first guess.
    I used to run the oldest commercial Mumble host.
      0 Not allowed!

  19. #19
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    Well this is a bit too much of a coincidence me thinks .. http://www.webhostingtalk.com/showthread.php?t=873387
      0 Not allowed!

  20. #20
    Has anyone had any similar problems with version 5.x?
    █ Wafer VPS
    US North Carolina Based
    Self-Managed OpenVZ VPS Hosting
    Check out our offers!
      0 Not allowed!

  21. #21
    Join Date
    May 2006
    Posts
    1,398
    Quote Originally Posted by fwaggle View Post
    Felosi: Was the "security expert" site the one compromised? If so, there's been a rash of that stuff going around a while back and they could be at it again (google "zero for 0wned" or zf0) and I definitely wouldn't rule out a zero-day by any stretch of the imagination.

    If it's just some random site and forensics group came in and said "yup, ssh 0-day" after a few hours of tinkering then collected a check, I'd make a mental note to never hire them... because the backdoor scenario I wrote about above sounds much much more likely and would be my first guess.
    Yes and I agree with second part too, it is very possible that they just got ripped by those forensic people. At first it was supposed to be a litespeed exploit, they emailed me wanting a refund on the yearly update license they just bought a month before. I said if they provided some proof it happend that way we would gladly refund them, George from litespeed said same thing. They never produced results, I forgot the excuse.

    And then with the SSH exploit. Basically someone signed up for hosting with the domain webhostline or something like that. Me, thinking it is some reseller sets it up and all. An hour or so later I find out it is one of the staff from that security site when he came to me about the exploit and the owner of that security site confirmed it. Turns out those hackers were still after that guy, he had security sites anyway, something I swore I wouldnt host or manage again so I gave him 24 hours to get his vps going and finally had to just terminate it because I dont need the trouble to be honest, call me a coward or whatever no one client is worth the trouble those hackers could cause.

    Well, I guess they got me a lil worried ya know and I figured I would post here to see if anyone has heard anything else. So anyway, it seems there is not enough evidence for making this post so I will have to back off my original position of there defintely being an exploit as it has been called into doubt.

    So ya, Let's just say this is highly unconfirmed.
      0 Not allowed!

  22. #22
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    Highly unconfirmed?

    You post 'Heads up 0 day ssh exploit' - few hours later after much disbelief and random abusive posts that got trimmed up, there pops up another thread posting all the details of an SSH hack against someone on this board!

    Am I missing something?
      0 Not allowed!

  23. #23
    Quote Originally Posted by Steven View Post
    Yes. Redhat backports patches into old versions.

    [email protected] [~]# rpm -qa |grep openssh
    openssh-clients-4.3p2-29.el5
    openssh-4.3p2-29.el5
    openssh-server-4.3p2-29.el5


    Centos 5 machine
    Somehow backporting doesn't seem like the best approach. It completely depends on the skill of the coder undertaking the backport.

    The openssh dev's work very hard at security and know the code well. When they release a new version it might be best to just accept it as is. Or, in the case of Linux, base a new version on the portable branch.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com
      0 Not allowed!

  24. #24
    Join Date
    Jun 2009
    Posts
    43
    i would like the group who did research to post here... i agree that the ssh might have very well been backdoored. ssh is open source and always being toyed with so if there was a 0day wouldnt it have been found by now?
      0 Not allowed!

  25. #25
    Join Date
    Jul 2003
    Location
    Goleta, CA
    Posts
    5,550
    Quote Originally Posted by elfz View Post
    i would like the group who did research to post here... i agree that the ssh might have very well been backdoored. ssh is open source and always being toyed with so if there was a 0day wouldnt it have been found by now?
    Absolutely not, it's quite easy to hide things in plain sight.
    Patron: I'd like my free lunch please.
    Cafe Manager: Free lunch? Did you read the fine print stating it was an April Fool's joke.
    Patron: I read the same way I listen, I ignore the parts I don't agree with. I'm suing you for false advertising.
    Cafe Owner: Is our lawyer still working pro bono?
      0 Not allowed!

  26. #26
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,000
    Quote Originally Posted by plumsauce View Post
    Somehow backporting doesn't seem like the best approach. It completely depends on the skill of the coder undertaking the backport.

    The openssh dev's work very hard at security and know the code well. When they release a new version it might be best to just accept it as is. Or, in the case of Linux, base a new version on the portable branch.
    This is done for all packages in the RHEL / CentOS major releases. If they make exceptions for one package, then they have to do it for all...which goes against their "purpose" for doing this anyway.
    This method has always been a thorn in my side too, especially when my developers want to UG to say, a major php version release...
    with RH, you have to break support for the package just to UG.
    Uggg.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)
      0 Not allowed!

  27. #27
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    16,057
    From what I understand - HostGator caught some flak in the news in Texas for them taking the action of disabling SSH on all of their servers based upon unreliable or contrived evidence of an exploit. In speaking with a contact at HostGator the employee went so far as to say "Our CTO fell for some bad fake evidence and then took serious action based upon it."

    I don't know - I just thought I'd share what had been shared with me.

    There is always certainly the possibility of a Zero-Day exploit in just about any piece of software - I'm not saying it's not possible or it doesn't exist but just sharing what was shared with me
      0 Not allowed!

  28. #28
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,565
    Quote Originally Posted by MikeDVB View Post
    From what I understand - HostGator caught some flak in the news in Texas for them taking the action of disabling SSH on all of their servers based upon unreliable or contrived evidence of an exploit. In speaking with a contact at HostGator the employee went so far as to say "Our CTO fell for some bad fake evidence and then took serious action based upon it."
    Doesn't surprise me. I would hate to be one of their loyal customers, locked out of the only 'secure' way of accessing a site. Plain text FTP only, for security sake? Seriously?
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters
      0 Not allowed!

  29. #29
    Join Date
    May 2006
    Posts
    1,398
    Quote Originally Posted by MikeDVB View Post
    From what I understand - HostGator caught some flak in the news in Texas for them taking the action of disabling SSH on all of their servers based upon unreliable or contrived evidence of an exploit. In speaking with a contact at HostGator the employee went so far as to say "Our CTO fell for some bad fake evidence and then took serious action based upon it."

    I don't know - I just thought I'd share what had been shared with me.

    There is always certainly the possibility of a Zero-Day exploit in just about any piece of software - I'm not saying it's not possible or it doesn't exist but just sharing what was shared with me
    I don't think that is totally true about him "falling for fake evidence" He treated it just like any one else who did not want to risk it. Everyone now is saying it is definitely a hoax and such based on the openssh developer's statement but how many times have developers swore up and down there are no problems only for problems to emerge in the future? Plus he must be the best developer in the world to foresee every possible exploitation scenario because 99.9% of them cannot. If this was true developers could write software and never have to update it or patch it.

    Not to mention Hostgator had other evidence besides posts on here and the situations outlined in here. As far as locking everyone out, well that may be extreme to some but look at what they have at stake per server. I think hostgator handled this well and I know I would rather be with a host who takes precautinary measures then one that demands piles of evidence before doing a simple update on a 3 year old software version. I would also rather be with a host who had their ear to the underground rather then relying solely on publicly released security issues.

    Sometimes listening to the rumors and word in the underground can be wrong but some times it is right and those times you would have fixed the problem before anything was made public.

    I just don't see how anyone can criticize hostgator for anything, Didn't they just have it locked down for like what? 24 hours? Anyway, I think Hostgator done the right thing considering the circumstances and everyone has to realize they did not just go by what was said on forums, blogs, etc. they had more info about this then any of us.
      0 Not allowed!

  30. #30
    Join Date
    Mar 2009
    Location
    Chicago, IL
    Posts
    219
    felosi: The problem is that they jumped without *any* proof of concept code in the wild. All it takes is anyone with about 10 minutes of spare time to fake the "proof" that was released publicly.

    Heck, The same could be done for Apache, the latest kernels, mail daemons, anything really. I see all the crazy reactions from everyone about this and it all boils down to the same thing. A text editor and 10 minutes and you've got a "zero day hack". Should we fully discount it? No, should we start shutting down services, recompiling SSH for an unknown (and potentially fake) attack vector? No because if it were real, we don't know the nature of the exploit.


    Check this out...


    ./hack 10.10.10.10:80
    ------
    G0T H4CK VerSioN 3.9
    Executing Attack on 10.10.10.10:80
    Enabling crypto hash sequences... Please wait
    Enabling bytecode payload insertion... Please wait
    Preparing Attack Payload.... Complete
    Sending Payload Sequence... Done
    0000000008as8d9d8a9vd90000ads8a8d88888888
    #
    #id
    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
    #uname -a
    Linux test.fakeserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:39:21 EDT 2009 i686 i686 i386 GNU/Linux

    ------

    Onoz an apache hack!

    Now, let's go shutdown our webservers....
      0 Not allowed!

  31. #31
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    It doesn't matter at this stage to speculate, if it is or isn't. People will mitigate how they see fit, if they need to. It's certainly made a lot of people think twice about their security anyways, and that has got to be a good thing.

    Best not to sit around all in a comfort zone waiting for things to happen, it pays to be 1 step ahead, wherever you can be.
      0 Not allowed!

  32. #32
    Join Date
    Mar 2008
    Posts
    1,717
    Quote Originally Posted by StevenG View Post
    It doesn't matter at this stage to speculate, if it is or isn't. People will mitigate how they see fit, if they need to.
    When the mitigation involves denial of service (even if it is only 24 hours), your security practices need work. Confidentiality, Integrity, Availability... and all that.

    Best not to sit around all in a comfort zone waiting for things to happen, it pays to be 1 step ahead, wherever you can be.
    One step ahead of (at this point) imaginary zero-days? There could potentially be zero-days in any of the software we use on a daily basis... so by your logic, "screw this", shut everything on the internet down and let's all go home. I don't think at this point it needs to be said, but: the internet is a hostile place. When it comes to 0-day exploits, it's not a case of if you'll be owned it's when you'll be owned. You can't cover all your bases, only take best practices and have a backup plan in place for when things go bad.

    I personally suspect at this point that the log is doctored, and that the actual attack vector was much less elegant and wouldn't look as great posted to full-disclosure.

    It doesn't take much effort to imagine the attackers sitting together on IRC somewhere, laughing their asses off at the security industry's responses to this.

    So what do I think?

    Discussing this rumor on forums: good, if it turned out to be real, the heads up is much appreciated.

    Upgrading suspect software? Sure, why not - it can easily be undone if you want to go back to letting yum keep sshd updated... though I do have reservations about installing binaries from semi-trusted sources (not to dig at those who were just trying to help in any way).

    Disabling a service from thousands of users for 24 hours based on a completely unauthenticated mailing list post? Not so much.
    I used to run the oldest commercial Mumble host.
      0 Not allowed!

  33. #33
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    Like I've said, it's completely up to whoever makes the decision in a business, to make the relevant decision. There's no wrong or right here, and those that denied service may even shock horror be proved correct yet - Nobody knows yet.

    I don't really care about there actually being an exploit in ssh, as it's something that really shouldn't be a problem anyway, given adequate defenses in the first place.
    It's really not unknown, this stuff has happened before...
      0 Not allowed!

  34. #34
    Join Date
    Apr 2002
    Location
    Troy, MI
    Posts
    309
    To cut through some of the crap in this thread, firstly the openssh binary packages from RedHat are backports of the latest stable releases relative to major feature changes, security and bug fixes.

    We can see the actual change history on a redhat based system with the following command:
    rpm -q --changelog openssh-server

    By the admission of openssh developers themselves, between 4.3 and 5.2 there is only two less than tangible security fixes and neither are straight forward stack attacks.

    As for the actual merits of the 0day threat, as of this moment there is still absolutely no proof to lend itself towards the exploit other than allot of rumor mill crap. I detailed a bit more on the FUD nature of this openssh 0day at:
    http://www.webhostingtalk.com/showth...37&posted=1#41

    There are much wider threats out there at the moment, such as....

    In April we had a local root exploits on 2.6.x kernel based systems related to the udev implementation (two incarnations of this exploit 10 days apart). Followed shortly after, in May we had a local root ptrace exploit in the 2.6.x kernel tree, with two incarnations of this exploit a couple days apart.

    The ptrace and udev exploits are in wide use with canned variants actively being used as payload against vulnerable wordpress installations among other software. This at the moment is the biggest active threat, the canned (binary) variant is designed to run in-place on servers where uploaded (where-as the POF uses /tmp) and upon successful exploitation immediately sets a setuid root shell in place for hand-off of commands by the attackers as root.

    Then 3 days ago a local root exploit was released in <= 2.6.28.3 x86_64, though this is a vastly more specific vulnerability and not seen in the wild being exploited yet (and due to the specific 64bit OS install it requires, likely wont see wide exploitation).

    You can search your server for signs of compromise from the canned ptrace/udev vulnerability with the following:
    http://www.rfxn.com/downloads/suid_find
    Note: Please be sure to edit in your email address before you run it on your server, if you get no returned results to email then you are in the clear, otherwise you are looking for root owned setuid binaries (the s bit set in permissions).

    So what is the moral of this whole post? Be mindful of openssh but please stop lending to the state-of-paranoia around this potential 0day, at best update openssh then put focus on system-wide security.
    Last edited by tchryan; 07-11-2009 at 02:17 AM.
    Ryan MacDonald
    Lead Administrator | TotalChoice Hosting
    Choice Does Matter! | Serving over 26,000 clients
      0 Not allowed!

  35. #35
    Join Date
    Apr 2009
    Posts
    79
    Perhaps you should do some googling on anti-sec and imageshack. The SSH attack *seems* to be very real.
      0 Not allowed!

  36. #36
    Join Date
    May 2006
    Posts
    1,398
    Quote Originally Posted by envisage View Post
    Perhaps you should do some googling on anti-sec and imageshack. The SSH attack *seems* to be very real.
    they have much more then ssh 0day, they arent just some group with one exploit. These guys are pretty good and write their own exploits, nothing would suprise me at this point of what they have.

    The same scene of people was the ones who had cpanel 0days just last year as well as local roots for every kernel including ones patched with grsec and pax (they probably still do).

    Sure the evidence of the ssh 0day was flimsy to the ones who had not seen it first hand or knew someone exploited by it but what takes the cake is the developer making an announcement "Erm, everything is ok here, no possible exploit" and then it is labeled as hoax by everyone. Like I said above he must be the best developer in the world to forsee every possible exploiation scenario of every piece of code in his software.
      0 Not allowed!

  37. #37
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    16,057
    Quote Originally Posted by felosi View Post
    I don't think that is totally true about him "falling for fake evidence" He treated it just like any one else who did not want to risk it. Everyone now is saying it is definitely a hoax and such based on the openssh developer's statement but how many times have developers swore up and down there are no problems only for problems to emerge in the future? Plus he must be the best developer in the world to foresee every possible exploitation scenario because 99.9% of them cannot. If this was true developers could write software and never have to update it or patch it.

    Not to mention Hostgator had other evidence besides posts on here and the situations outlined in here. As far as locking everyone out, well that may be extreme to some but look at what they have at stake per server. I think hostgator handled this well and I know I would rather be with a host who takes precautinary measures then one that demands piles of evidence before doing a simple update on a 3 year old software version. I would also rather be with a host who had their ear to the underground rather then relying solely on publicly released security issues.

    Sometimes listening to the rumors and word in the underground can be wrong but some times it is right and those times you would have fixed the problem before anything was made public.

    I just don't see how anyone can criticize hostgator for anything, Didn't they just have it locked down for like what? 24 hours? Anyway, I think Hostgator done the right thing considering the circumstances and everyone has to realize they did not just go by what was said on forums, blogs, etc. they had more info about this then any of us.
    I was just stating what my contact inside of HostGator had discussed with me, whether they are right or wrong is possibly up for discussion but the individual knows the inner workings of HostGator and the people well enough that I'd trust what they were telling me
    Michael Denney - MDDHosting LLC
    New shared plans for 2016! Check them out!
    Highly Available Shared, Premium, Reseller, and VPS
    http://www.mddhosting.com/
      0 Not allowed!

  38. #38
    Join Date
    Mar 2009
    Posts
    39
    http://www.nopaste.com/p/aDTdT5s1C/txt
    What a bunch of leet haxorz. el oh el. *In case you're not technically inclined, don't run it, it's fake. *
    Last edited by HRDev Hady; 07-14-2009 at 01:50 PM.
      0 Not allowed!

  39. #39
    I run it on a local linux computer, after that computer do not boot.

    So don't try it. I am lucky that i don't run it on server. My first thought was to run on the server :-(
      0 Not allowed!

  40. #40
    Join Date
    Mar 2009
    Posts
    39
    Quote Originally Posted by flashwebhost View Post
    I run it on a local linux computer, after that computer do not boot.

    So don't try it. I am lucky that i don't run it on server. My first thought was to run on the server :-(
    el oh el.
      0 Not allowed!

Page 1 of 2 12 LastLast

Similar Threads

  1. 0day Microsoft Vulnerabilities
    By izonate in forum Web Hosting Lounge
    Replies: 2
    Last Post: 11-15-2002, 08:56 AM
  2. OpenSSH and FTP
    By eddy2099 in forum Hosting Security and Technology
    Replies: 9
    Last Post: 08-15-2002, 12:50 PM
  3. Openssh
    By MikeMc in forum Hosting Security and Technology
    Replies: 4
    Last Post: 08-11-2002, 04:22 PM
  4. OpenSSH 3.4p1-1
    By ellebi in forum Dedicated Server
    Replies: 0
    Last Post: 06-27-2002, 04:32 AM
  5. openssh 3.4
    By clocker1996 in forum Hosting Security and Technology
    Replies: 8
    Last Post: 06-26-2002, 05:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •