# I think I got rooted :(

## mmurray

I think I have been rooted.  I tested the openssh vulnerability on my box and I got in.  I am running 3.4p1  HHHmmmm!  Which I thought was not vulnerable. Anyway I did a netstat an and I have two ports listing:  32768/tcp Filenet TMS and 177/tcp    X Display Manager Control Protocol.  As for port 177 I followed the directions from a cert advisory, but the port is still listening.  

```
To disable remote connections comment out the following two lines in the "Xaccess" configuration file by adding a # symbol to the beginning of each line: 

* #any host can get a login window

* CHOOSER BROADCAST #any indirect host can get a chooser 

becomes

#* #any host can get a login window

#* CHOOSER BROADCAST #any indirect host can get a chooser 
```

What is filenet 32768? 

How do I turn off these ports from listening?  

Thank you!    :Crying or Very sad: 

----------

## pjp

You may want to see this thread.  Not sure if it answers your specific question.

----------

## mmurray

Thanks for the infomation, this mean that anyone that uses gentoo portage for openssh is vulnerable since I rsync and reinstalled ssh today and the version hasn't changed (3.4p1).  Anyway, I have done some more research and have found that  Hackers Paradise uses port 32768.  

Any idea on how to stop the port 32768 from listening?

----------

## rac

 *mmurray wrote:*   

> Thanks for the infomation, this mean that anyone that uses gentoo portage for openssh is vulnerable since I rsync and reinstalled ssh today and the version hasn't changed (3.4p1).

 

I don't think you can draw this conclusion.  Once your box has been compromised, any action you take short of getting the system into a known good state is not reliable.  Simply reinstalling ssh will not change anything, assuming someone has unauthorized access to your machine.

Please don't start a general panic.

As I posted in the thread kanuslupus pointed you to (and delta407 said more clearly): if you haven't done so already, disconnect the machine's network connection immediately.  Then figure things out later.

 *Quote:*   

> Anyway, I have done some more research and have found that  Hackers Paradise uses port 32768.  
> 
> Any idea on how to stop the port 32768 from listening?

 

Again, as I said in that other thread, you can use lsof to find out what process is responsible for opening it, and kill it.

----------

## cpwp

I am also using OpenSSH 3.4p1.

How can I test to see if mine is vulnerable?

CP

----------

## Zu`

I thought (recently) libssl and libcrypto where vulnerable too.

If we update this with portage, shouldn't there be stuff that needs to be rebuilt against the new libraries? Like OpenSSH for example.

I've been wondering about this, how does Gentoo deal with this?

If we first upgrade our OpenSSH and a few days later our libssl, shouldn't we rebuild OpenSSH (and other stuff that uses SSL, like stunnel)?

Or does stuff like OpenSSH use the libraries dynamically?

Just something I've been wondering about.

----------

## rac

 *Zu` wrote:*   

> Or does stuff like OpenSSH use the libraries dynamically?

 

ldd is a great tool for finding out what libraries are linked dynamically by a given binary.  In the specific case you ask about, I notice this comment from the openssh-3.4_p1-r3 ebuild: 

```
# openssh recognizes when openssl has been slightly upgraded and refuses to run.

# This new rev will use the new openssl.
```

...and it also has a dependency on >=dev-libs/openssl-0.9.6d

----------

## Zu`

 *rac wrote:*   

>  *Zu` wrote:*   Or does stuff like OpenSSH use the libraries dynamically? 
> 
> ldd is a great tool for finding out what libraries are linked dynamically by a given binary.  In the specific case you ask about, I notice this comment from the openssh-3.4_p1-r3 ebuild: 
> 
> ```
> ...

 

Thanks, clear things up a bit. I knew about ldd, didn't think about it.

Just wanted to be sure vulnerabilities can be prevented by running emerge -u on packages that have know exploits. Ofcourse it'll never be 100% secure and I guess there will always be unknown exploits.

----------

