Is it that unrelated?
Aren't anti-sec (who are possibly involved in the openSSh 0day) and milw0rm rather indisposed towards each other?
Is there some big game going on here?
Rumours are circulating about the active exploitation of systems running older versions of OpenSSH, the open source remote administration utility. Security watchers at the SANS Institute's Internet Storm Centre report circumstantial evidence of a mischief, including a log ostensibly showing an attack in progress, posted last …
Also worth noting (?) is that several hosts are said to be taking this very seriously and have disabled ssh access.
Hostgator has certainly done this, and even claims to be patching something. Whether that just means they're updating packages or not I have no idea.
While I'm not denying this vulnerability is possible, I do think it's worth mentioning that recently there's been a rather big jump in the number of totally unknown groups/people posting exploit "logs" with no explanation and no technical details.
Quite a few of these have been confirmed as fake. Astalavista was supposedly hacked using a LightSpeed exploit which has now been (essentially) confirmed to be technically impossible. Another log, supposedly utilizing this SSH exploit, has been confirmed as fake; rather amusingly the sysadmin in question was hacked through a more basic flaw, and then falsified the logs in order to save face (he ran a security website)
To be honest, even the logs themselves look rather suspect. I've seen various copies where the naming scheme and parameters have changed, and where there are obvious inaccuracies in the timestamps.
I'm not saying it's not true, I'm saying this has all come at a very convenient time and not to believe everything you read.
Ah the wonderful ability for the internet to take a small rumour and some dodgy "evidence" and blow it out of all proportion!
OK, wise to be safe than sorry, but all a credible security organisation has to go on is log file that might be fake, and they are crowing about OpenSSH has a major flaw? Come on , going to need a little bit more than that to go on before I start closing up shop!
I think what you /meant/ to say was:
"...an exploit against older versions of OpenSSH might be presented AT Black Hat,.."
That would be the rather well-known Black Hat / Defcom conference come party, as usual supplying silly-season fodder to liven up July *and* August. How's that for value?
This doesn't look at all right. That log (the second one linked) doesn't have an RHEL5 kernel and doesn't have the RHEL5 apache. Other things don't look quite right either. Just googling for the kernel version -- 188.8.131.52-grsec-hostnoc-4.0.0-x86_64-libata -- throws up a lot of stuff about this supposed exploit.
I'm not buying this until there's better evidence than one oft-repeated log of dubious veracity.
Biting the hand that feeds IT © 1998–2021