Educause Security Discussion mailing list archives
Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers
From: Warren Petrofsky <petrofsk () SAS UPENN EDU>
Date: Wed, 24 Jan 2007 16:42:36 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We are seeing an alarming attack trend on the Penn campus. Please find below a summary and preliminary conclusions, followed by some details. I apologize in advance for the length of this report. We are very interested in receiving suggestions and comments from the group, as well as getting the warning out there, as we have yet to find any reports of this trend, though as a colleague pointed out, the ISC Storm Center does show a significant spike in both sources and targets for port 6000 between Dec. 11th and 14th 2006. Summary and Conclusion: We have seen a series of single user accounts compromised, with users using unique, complex (sometimes > 14char) passwords, that are only sent over encrypted channels. In most cases, these users were running an X-server application on their Windows machine, connecting to a linux or Solaris server, using ssh tunneling. Our current working assumption is that there is an active compromise being spread via vulnerable Xserver installations on port 6000. After privilege escalation is achieved, keyloggers are being installed on the system in general, or all transmissions to the xsession are being logged. Today, 1/24/07, we have received notice from an administrator at another university that one of their compromised machines contained full-text logs of entire xsessions from machines on our campus and others. These sessions included texts of emails, root passwords (when su - was issued), etc. They are in the process of notifying security/abuse at each organization for which they have logs. They also have the shell script and binary presumably used during this attack, but have not yet had time for a full analysis. Details: Beginning 1/6/07 we received several abuse reports of systems on campus attacking other .edu machines. In some cases these were ssh dictionary attacks against a wide range of external subnets, in at least one case we found evidence of a compromised account widely probing systems for the Horde Help Viewer Vulnerability (http://www.securityfocus.com/bid/17292). The primary complaint, however, was of our compromised accounts probing port 6000 on multiple machines across multiple networks. On several of our machines we found scripts and IRC bots installed in obfuscated directories like /dev/shm/ /someDirName or /var/samba/ /samba/.. /someDirName. (note the spaces and dots). We have yet to find a sample of the binary or script attacking port 6000. In at least one case, a user changed his password from a secured machine, and within a week, a successful first-attempt login was made using his new password, from an IP address in Romania. We discovered that three of the most popular Windows Xserver applications, Exceed, WinAXE, and Cygwin's Xwin, all silently open port 6000 in the Windows firewall, despite the fact that this is unnecessary when using ssh port forwarding. We verified that our users were, in fact, configured to connect over ssh, and that this was working properly. A SecurityFocus search turned up at least 3 privilege-escalation vulnerabilities in the Xorg and XFree86 libraries since August 2006 (links provided at end of message), which these products _may_ be vulnerable to, though we have no way of knowing which implementation of X11 they are using (except Cygwin, which is using Xorg). As far as I can determine, none of these Windows apps has had a patch or update after these vulnerabilities were discovered. Even if they were updated, as standalone applications, end-users are very unlikely to have applied any such patches. Given that in one user's case the plaintext of two, new, very complicated passwords were apparently known to a remote attacker within a week of generation, our current assumption is that a software keylogger was installed on one or both of his Windows machines or that compromise of the Xserver allowed logging of all data sent to the local xsession. Our desktop group is currently examining these machines, but in general, they were properly updated Windows XP machines, with the Windows firewall enabled (with port 6000 opened), with SAV installed and updated. During one of the first compromises, the local support provider noted 3 connections to port 6000 on one of these Windows machines, from three different edu's, to which the user had no affiliation. This seems to us to be an expanding network of compromised and attacking machines, putting significant amounts of sensitive data at risk. I am hoping that members of this list can help us determine the mechanism of this attack, and that this notification helps others identify compromised machines on their network. Sincerely, - -- Warren Petrofsky petrofsk () sas upenn edu Information Security Specialist SAS Computing - University of Pennsylvania 215-573-0999 Please find below a list of X exploits and IP addresses of attacking machines. X exploits: http://www.securityfocus.com/archive/1/456429 http://www.securityfocus.com/archive/1/445812/30/0/threaded http://www.securityfocus.com/archive/1/444269 General search: http://www.securityfocus.com/swsearch?query=x11&sbm=%2F&submit=Search%21&metaname=alldoc&sort=swishlastmodified IP addresses of attacking machines: 81.196.68.48 86.125.106.199 85.120.71.66 80.55.98.90 86.34.211.118 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFt9LM3SthtV8kjpARAvVbAJ9WrJXQLfHPcRdfe2OVF9lkzI5rFQCfckW6 ZqYzqV+euq1+eDfNGBLWuSE= =4XS/ -----END PGP SIGNATURE-----
Current thread:
- Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Warren Petrofsky (Jan 24)