Re: sshd logins without a source

[Valdis.Kletnieks () vt edu]

On Fri, 23 Sep 2011 11:45:35 +0800, BH said:
> Hi,
>
> I am taking a look at a few different servers that have been rooted at
> around the same time. At the time of the compromise I can see in each
> servers sshd logs an entry like the following:
>
> Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session
> opened for user root by (uid=0)
> Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session
> closed for user root

Well, my first guess is the guys managed to wipe some but not all the
log entries, using anything from sed to perl to cat to.. ;)  But if you need
alternate theories, here's one (untested) one for you:

At least at one time, it was possible (though discouraged) to launch sshd from
inetd, rather than having an sshd running all the time.  In that case, inetd would
catch the incoming connection, and spawn an sshd with file descriptors 0,1,2
pre-connected to the socket.  That code path may have assumed that inetd
would have done the connection logging and thus not logged it.

This would impliy that either the attacker got an sshd entry into inetd.conf,
or that he got code executed on the machine in ohther ways, and then fork/
exec'ed an ssh the same way inetd would (which would be odd, as fork/exec'ing
/bin/bash would be a lot more productive ;)

Of course, I haven't had my caffeine yet, so... ;)

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/