Re: dictionary attacks against root

[Eric Pancer <epancer () SECURITY DEPAUL EDU>]

I thought we were keeping that channel private :-)

I'm actually away from keyboard today, for once!

-----Original Message-----
From: Dave Monnier <dmonnier () IU EDU>
Date: Sun, 22 Aug 2004 13:11:29
To:SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] dictionary attacks against root

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Members of the UNISOG IRC group have been following this for a month or
so.  Groups at Indiana University, Depaul University, University of
Minnesota, and Kansas State University have all done analysis of the
scanners and tools.  Since our first look at the code, on July 21st,
we've now seen at least four variants of the attack.  Initially the
process was as follows:

1. Attacking host, using a port scanner, looks for open sshd ports. This
scan appeared to cover the entire public internet.

2. Once this piece of software found an open sshd, it would hand the IP
to another piece of code. This was a specially written ssh client
designed to attempt three login/password combinations, test, guest, and
admin.  Some small percentage of hosts on the internet were successfully
accessed using this method.  On success, this code would record the IP
and account for later use.

3. Using the list of successful logins, attackers would then manually
access the system.  Forensic analysis of the intrusions showed that this
step was done manually as there were typos in the shell history and
inconsistency in method across hosts.  Once inside the attackers would
grab a local system exploit (a few of the Linux kernel exploits
published in the last year), escalate their privileges, and install a
root kit (In almost all cases Suckit was used).  Once root access was
attained, the attackers would then  pull down their tools and start over
the same process from there as well as setup an IRC bot to connect to
the Undernet IRC network.  On systems where the escalation was
unsuccessful, the attacks would use the host only as an IRC proxy or bot
as their  scanning code seems to require privileged access to work.

On July 28th, following the initial analysis by Indiana University and
Kansas State University, I contacted the Undernet security team about
the use of their network in the attacks.  They responded and began
working on it by the 29th.

On or around August 1st we began to see the addition of "root" to the
attack, followed shortly by 30 or so additional logins.  These
additional logins included many standard accounts found of Linux systems
like "qmail", "oracle", and "nobody". Bringing the variant count to three.

On Thursday, August 19th, the University of Minnesota reported having
analyzed the fourth variant.  This code included more than 2000
passwords for the user "root".

Essentially this attack preys on weak systems.  All of the attacks are
based on either weak authorization (open to the world sshd) or weak
authentication (simple passwords).  Judging by the scale of the scanning
seen across the internet, it's apparent that it is effective to some
extent though.

SANS also had an analysis of the scanning.
http://isc.sans.org/diary.php?date=2004-07-28
http://lists.sans.org/pipermail/list/2004-July/061219.html

Cheers,
- -Dave

- --
| Dave Monnier - dmonnier () iu edu - http://php.indiana.edu/~dmonnier/ |
|  Lead Security Engineer, Information Technology Security Office    |
|  Office of the VP for Information Technology, Indiana University   |
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBKOHRBIf6jlONJjIRAr/ZAKCSMG92rAGkliOTf7TRLIQudJ4dRwCbBqHk
zBJ8qRXE8QFL0K9gTR1+Upc=
=Tpnq
-----END PGP SIGNATURE-----

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.