Educause Security Discussion mailing list archives
Re: SSH password capture
From: Andrew Daviel <advax () TRIUMF CA>
Date: Mon, 28 Jun 2010 14:31:01 -0700
On Mon, 28 Jun 2010, Scott Beardsley wrote:
what is everyone else doing to manage system updates in their *nix (and/or heterogeneous) environments?
We use Yum (on RedHat-based Scientific Linux, our "official" distro").Note that some repos/configs don't enable signature checks, which is mandatory IMO for automated updates to guard against repo poisoning.
The risk is tiny, the possible worst-case consequences disastrous.I did want to do some package-based vulnerability checks, but hadn't found anything I liked. Oval is a bit complicated/slow for what it does, and relies on a manufacturer-supplied checksum database. Scientific Linux is RHEL recompiled from GPL'd source, like CENTOS, and doesn't have a database. Nessus includes the ability to login (e.g. with SSH keys from a bastion host) and check RPMs, but again there is no database for SL as it's a niche distro. There is for Fedora/RHEL,CENTOS, most major distros.
Hopefully you've reinstalled these machines, forced a password change for all users, and notified your users. Any idea how they got in?
We suspect via CVE-2009-2692. The initial attack was on an older machine that we patched against this later the same day. I didn't find any exploit lying around, but by the time we'd found the problem and backtracked, the logs had rolled over. I was able to discover and decode the logs, so have been chasing down users. Many of the captured passwords were for uninfected machines, some offsite.
We still have some machines vulnerable to CVE-2009-2692 (privilege escalation vulnerability) which we are working to identify and fix/mitigate (reboot to a newer kernel, or block installation of certain networking modules).
-- Andrew Daviel, TRIUMF, Canada
Current thread:
- Re: SSH password capture John Ladwig (Jun 27)
- <Possible follow-ups>
- Re: SSH password capture Scott Beardsley (Jun 28)
- Re: SSH password capture Andrew Daviel (Jun 28)