>
>>>This is probably from you using ssh or sftp from that system toa system that bjk23 is your userid. ssh caches host keys with userinfo, most often
in ~/.ssh/knownhosts. If you are using imap with ssh it may cache the hostkey as well. h Benjamin Kraus wrote:
As recommended by the security advisory, I ran "ssh-vulnkey", and two of the entries are:Unknown (no blacklist information): 1024 bb:1b:b8:e9:bb:85:5f:fd:e8:87:c3:64:f9:15:9e:2f root@bjk23Not blacklisted: 1024 c7:30:17:9d:d3:2b:01:1d:6a:26:29:aa:5a:5c:f3:fd root@bjk23The rest of the entires I recognize, but I'm not sure where these two entries are coming from. bjk23 is my Cornell NetID, but I don't believe it has been my login name on any computer, and definitely not since I installed Ubuntu on my machine. I know that I've never named any computer "bjk23".Any ideas what this entry means, and how I can remove it from this list. - Ben on 2008-05-15 18:21, Kamaraju Kusumanchi said the following:Thanks for the heads up. I also want to caution other Debian users to check their /var/log/auth.log to see if their machine has been compromised. rajuOn Thu, May 15, 2008 at 5:10 PM, Hurf Sheldon <Forwarded to cslug-l <A recently released security announcement affects Debian and Debian-derived systems (Ubuntu, Knoppix, etc). The primary risk posed by this vulnerabilityis to SSH host keys, though SSL and OpenVPN keys are also at-risk.We have seen a significant increase in scanning for vulnerable systems, andseveral exploits are now publicly available. Anyone running Debian or one of its derivatives is urged to patch and regenerate SSH/SSL/VPN keys as necessary. For more information: <http://www.debian.org/security/2008/dsa-1576>Starting tomorrow (Friday, 16 May) we will be scanning campus for vulnerable SSH instances. This scanning takes the form of a single SSH connection fromeither secutil1.cit.cornell.edu or secutil2.cit.cornell.edu. This willallow us to compare the signature of the host key in use to a published list of weak keys. Where applicable, netadmins will be notified of vulnerablesystems. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reply-to:Network Operations Center Cornell University Ithaca, NY 14853 607-255-9900 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>