WARNING: SSH exploit - upgrade information

ProWebUK

Verified User
Joined
Jun 9, 2003
Messages
2,326
Location
UK
As with all howto guides i provide, i take no responsibility, any damages that may occur to your server are your own responsibility, if you are worried about running the upgrade i recommend you hire a server administrator :) .

latest open SSH exploit over the last 48 hours, more information regarding the exploit can be found here:

http://slashdot.org/articles/03/09/16/1327248.shtml?tid=126&tid=172

to upgrade:

login as admin
su - to root

# wget http://prowebuk.com/TEMP/DOWNLOADS/OpenSSH/openssh-3.7p1.tar.gz

BEFORE DOING ANY UPGRADES MAKE SURE YOU HAVE TELNET RUNNING, CONNECT AND KEEP A CONNECTION WHILST YOU PROCEED WITH THE UPGRADE.

for DirectAdmin you should be able to enable telnet by doing the following:

# pico -w /etc/xinetd.d/telnet
change the line 'disable = yes' to 'disable = no'
save the file and exit
# service xinetd restart
also make sure you have port 23 open in your firewall (if you have a firewall)


Ok, lets start proceed with the upgrade

# tar -zxvf openssh-3.7p1.tar.gz
# cd openssh-3.7p1
# ./configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh --with-md5-passwords
# make
# make install

# service sshd restart

alternatively to restart use:

# /sbin/service sshd restart

open a new SSH window and make sure you can successfully connect to SSH... if everything is ok you will be able to disable telnet:

# pico -w /etc/xinetd.d/telnet
change the line 'disable = no' to 'disable = yes'
save the file and exit
# service xinetd restart

If you have a firewall make sure you block port 23 to stop telnet being acessed.

Post if you have any problems :)

Chris
 
Last edited:
You might want to condfigure OpenSSH with pam..

And people upgrading from older version of OpenSSH might needed add an sshd user..

adduser sshd -s /sbin/nologin
And then run make install again...
 
i had the ssh user problem with another box... i will add the pam information now :)
 
I'm having a slight problem:
Code:
[root@server1 root]# `echo -e /etc/xinetd.d/telnet`
-bash: /etc/xinetd.d/telnet: No such file or directory

[root@server1 xinetd.d]# locate telnet
/usr/bin/telnet
/usr/lib/python2.2/telnetlib.py
/usr/lib/python2.2/telnetlib.pyc
/usr/lib/python2.2/telnetlib.pyo
/usr/lib/perl5/vendor_perl/5.8.0/URI/telnet.pm
/usr/share/man/man1/telnet.1.gz
/usr/share/terminfo/t/tgtelnet
/usr/include/arpa/telnet.h
 
Last edited:
Hello,

It doesn't appear as though you have telnet installed. (Don't see a telnetd file).

Just a guess, but try using up2date and see if it will install it for you:

up2date -r telnet

not sure, but just a guess.

****

Also, note about the configure line.. I *had* to add
Code:
--with-md5-passwords
to get logins working again (pam wasn't playing nice). I didn't use pam in the end, but I guess it would try both methods to login if one failed. Good thing I had a telnet window open ;)

John
 
No luck here :(

Says -r isn't a valid option, and plain old up2date telnet says it's already updated.
 
Says -r isn't a valid option

Sorry about that :) I got my FreeBSD pkg_add and up2date -u mixed up. Should be "up2date -u telnet" .. but since you already have it... maybe try
Code:
up2date -u telnetd
to see if the daemon comes seperately. (note the "d" at the end)

John
 
DirectAdmin Support said:
Sorry about that :) I got my FreeBSD pkg_add and up2date -u mixed up.
I thought that might be the case.. hah. :)

Anyway, I'm having no luck with up2date -u telnetd either. :(

Tried to re-register and made sure the "telnet" box was checked. On RHN it is saying I have telnet-0.17-25:1.i386.rpm installed.

Hmm..
 
I got it :D

Had to install telnet-server-0.17-25:1.i386.rpm



*sigh*




[edit]I too had to cut the --with-pam bit out to get this to configure right.[/edit]
 
Last edited:
l0rdphi1,

You need to run the following command:

up2date -i pam-devel


Whenever you get those kinds of messages when you are sure that the object is installed, you are most likely missing the devel package.


Also, you could have ran:

up2date -i telnet-server

to get the telnet server on your box.
 
Would those who've had DA installed after October need to upgrade SSHD? Does DA install the latest by default? How can I check which version I have running?
 
RTKS said:
Would those who've had DA installed after October need to upgrade SSHD? Does DA install the latest by default? How can I check which version I have running?

yes, you should
no, it doesn't
sshd -v or sshd -V, keep forgetting, otherwise just try sshd --help :D
(When you are using RH 9.0 you can still use up2date, other versions will need a source compile :D)
 
Back
Top