≡ Menu


Debian Linux project released the OpenSSH security updates for computers powered by its Debian Linux operating systems. The Openssh package has remote unsafe signal handler DoS Vulnerability. It has been discovered that the signal handler implementing the login timeout in Debian's version of the OpenSSH server uses functions which are not async-signal-safe, leading to a denial of service vulnerability.

Systems affected by this issue suffer from lots of zombie sshd processes. Processes stuck with a "[net]" process title have also been observed. Over time, a sufficient number of processes may accumulate such that further login attempts are impossible. Presence of these processes does not indicate active exploitation of this vulnerability.

Package        : openssh
Vulnerability  : remote
Problem type   : unsafe signal handler
Debian-specific: no
CVE Id(s)      : CVE-2008-4109
Debian Bug     : 498678

How do I fix this problem?

Login as root and type the following commands to update the internal database, followed by corrected packages installation:
# apt-get update
# apt-get upgrade

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list, consisting of stolen 'zombie' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL designed for use by firewalls and routing equipment.

DROP is currently available as a simple text list, but will also be available shortly as BGP with routes of listed IPs announced via an AS# allowing networks to then null those routes as being IPs that they do not wish to route traffic for.

The DROP list will NEVER include any IP space "owned" by any legitimate network and reassigned - even if reassigned to the "spammers from hell". It will ONLY include IP space totally controlled by spammers or 100% spam hosting operations. These are "direct allocations" from ARIN, RIPE, APNIC, LACNIC, and others to known spammers, and the troubling run of "hijacked zombie" IP blocks that have been snatched away from their original owners (which in most cases are long dead corporations) and are now controlled by spammers or netblock thieves who resell the space to spammers.

When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

Shell script to apply DROP

Here is a shell script, you need to run on Linux based firewall / router / dedicated Linux web / mail server:

echo ""
echo -n "Applying DROP list to existing firewall..."
[ -f $FILE ] && /bin/rm -f $FILE || :
cd /tmp
wget $URL
blocks=$(cat $FILE  | egrep -v '^;' | awk '{ print $1}')
iptables -N droplist
for ipblock in $blocks
 iptables -A droplist -s $ipblock -j LOG --log-prefix "DROP List Block"
 iptables -A droplist -s $ipblock -j DROP
iptables -I INPUT -j droplist
iptables -I OUTPUT -j droplist
iptables -I FORWARD -j droplist
echo "...Done"
/bin/rm -f $FILE

Call above script from existing firewall script every 24 hrs to update and block list. Every time it's run by crontab it will download the list and reapply the changes. You may need to modify above script to delete droplist chain before applying list. Please note that if you are using Cicso routers, use this script for the same purpose. You can also use CISCO 'null route' command:

ip route <network> <mask> null0

If you don't want to play with iptables, null route all bad ips using following route command under Linux syntax:
# route add <IP> gw lo
# route add -net <IP/mask> gw lo

Try this and you will surprise to see how much spam and other bad stuff can be blocked.

How scriptkiddies turns Linux box into a Zombie

This is a good analysis and sort of demonstration for all new Linux admin. It does shows how to do forensic kind of analysis on a cracked box. A good read for everyone ~ if you want to know how Linux server is cracked and turned into a zombie ;)