[ale] ssh exploited?

John Wells jbwellsiv at yahoo.com
Wed Feb 6 22:30:16 EST 2002


I was examining my snort log files on my firewall
tonight and found a ssh exploit notification (see end
of this message).

The scary (odd) thing is, it seems to be coming from a
box on my internal lan (172.16.2.4) to my
gateway/firewall (172.16.2.1).  Does this mean that my
internal box has been compromised?  Or is this
something snort is picking up when I ssh from machine
to machine?

Thanks for your input...

John
----------------------------------------

[**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
[Classification: Executable code was detected]
[Priority: 1]
01/27-20:02:27.610333 172.16.2.4:33834 ->
172.16.2.1:22
TCP TTL:64 TOS:0x0 ID:44352 IpLen:20 DgmLen:684 DF
***AP*** Seq: 0x3FFCB271  Ack: 0xE2D6D162  Win: 0x16D0
 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1580910 1633560
[Xref => http://www.securityfocus.com/bid/2347]
[Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]

[**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
lassification: Executable code was detected]
[Priority: 1]
01/27-20:02:27.610333 172.16.2.4:33834 ->
172.16.2.1:22
TCP TTL:64 TOS:0x0 ID:44352 IpLen:20 DgmLen:684 DF
***AP*** Seq: 0x3FFCB271  Ack: 0xE2D6D162  Win: 0x16D0
 TcpLen: 32
TCP Options (3) => NOP NOP TS: 1580910 1633560
[Xref => http://www.securityfocus.com/bid/2347]
[Xref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]




__________________________________________________
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list