[ale] ssh exploited?
John Wells
jbwellsiv at yahoo.com
Wed Feb 6 22:30:16 EST 2002
I was examining my snort log files on my firewall
tonight and found a ssh exploit notification (see end
of this message).
The scary (odd) thing is, it seems to be coming from a
box on my internal lan (172.16.2.4) to my
gateway/firewall (172.16.2.1). Does this mean that my
internal box has been compromised? Or is this
something snort is picking up when I ssh from machine
to machine?
Thanks for your input...
John
----------------------------------------
[**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
[Classification: Executable code was detected]
[Priority: 1]
01/27-20:02:27.610333 172.16.2.4:33834 ->
172.16.2.1:22
TCP TTL:64 TOS:0x0 ID:44352 IpLen:20 DgmLen:684 DF
***AP*** Seq: 0x3FFCB271 Ack: 0xE2D6D162 Win: 0x16D0
TcpLen: 32
TCP Options (3) => NOP NOP TS: 1580910 1633560
[Xref => http://www.securityfocus.com/bid/2347]
[Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]
[**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
lassification: Executable code was detected]
[Priority: 1]
01/27-20:02:27.610333 172.16.2.4:33834 ->
172.16.2.1:22
TCP TTL:64 TOS:0x0 ID:44352 IpLen:20 DgmLen:684 DF
***AP*** Seq: 0x3FFCB271 Ack: 0xE2D6D162 Win: 0x16D0
TcpLen: 32
TCP Options (3) => NOP NOP TS: 1580910 1633560
[Xref => http://www.securityfocus.com/bid/2347]
[Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]
__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list