RE: !SPAM! Automated ssh scanning

[Stephen Agar <Stephen.Agar () bmhcc org>]

> > Somehow, this message got to me before Ron's reply did, so I will 
> > respond to both inline.
> > > On Thu, 26 Aug 2004 12:26:04 -0500 (CDT), Ron DuFresne 
> > > <dufresne () winternet com> wrote:
> > > > On Thu, 26 Aug 2004, Stephen Agar wrote:
> > > >
> > > > > I think many of you are missing the point. Yes the 
> guest/guest 
> > > > > account is weak, but this kernel is (according to debian) 
> > > > > patched..therefore free from local exploits that can be
> > > used to gain
> > > > > superuser access. I mean if this were the case, then any box 
> > > > > that ran this version of debian to do something like "web
> > > hosting" that
> > > > > gave users shell access, may as well give them all full sudo.
> > > > > Because you people are assuming that if someone can gain
> > > access to the box, secured or not, they can gain root..i disagree.
> > > > The issue here is why does debain include such a weak
> > > account,m thaqt
> > > > has not been tamed via a very restricted chroot env!?
> >
> > That is one issue, but given that I haven't installed 
> debian in years, 
> > I can't really answer it. However, I don't think it's the "main" 
> > issue. The main issue to me is, if I do install debian, and give an 
> > account to a friend (albeit not a trusted friend), do I 
> have to worry about a "fully patched"
> > box still getting rooted via a local exploit?
>
>
> most likely.
>
>
> > > That's not the issue though.  As someone who has installed and 
> > > maintained debian systems over a period of years, I can 
> assure you 
> > > that debian does not include a guest account (or any 
> account) with a 
> > > weak password or shell.
> > >
> > > There aren't any shell accounts other than root on a 
> debian install 
> > > until added by the administrator.
> > >
> > > The weak account in question here was created by the 
> original poster 
> > > with the intent of catching one of these apparently automated ssh 
> > > attacks.
> >
> > If he did create those accounts himself for "honeypot" 
> purposes, and 
> > this isnt default on that debian install then it has shown us all 
> > something. It has opened the flood gates for discussion about local 
> > exploits in that particular install, that we would assume 
> were patched 
> > (unless they are undisclosed vulns..but do we really think 
> the script 
> > kiddies have that many 0day exploits...yikes!)
>
>
> how many times in the last year has kde or gnome been patched 
> to deal with a particular security issue?  How about the 
> kernel?  apache?
> openssl?  etc..., now consider what one poster said a few 
> replies back about there being undisclosed holes in merely 
> the kernel for linux, then reconsider his statements inline 
> with all the packages installed in a desktop, server etc 
> offered by the various dists setups...
>
>
> Now to tweak the issues tightly into mind, look at how many 
> updated RPM's or DBM's or what yer fav dist formats it's 
> packages and understand, the vast majority of those updated 
> packages are there because they addressed security issues 
> from this and the various other lists on the topic...
>
>
> Then, take a deep breath so as to not turn purple once you 
> have taken this in....

Yes...of course things have to be discovered, and brought to the attention
of the appropriate people..and take time to be fixed. If someone with the
appropriate skills wants to get into your box...unless it's totally
inaccessible to the world, they can probably find a way. I however don't
think the culprit in this case was anything more than a kiddie who
downloaded "brutessh2" and another publically known exploit..and used it.
However, as is often the case..I could be totally wrong.

> > > > As Barry pointed to directly, it all depends upon what you make 
> > > > available to your clients once in a shell.  It;s very 
> likely your 
> > > > server would be as exploitable as most 'default' installs
> > > with the kitchen sink dropped in.
> > > > Perhaps not, but likely, depending upon what you 'installed
> > > and allow
> > > > clients access to'.
> > > >
> > > > Thanks,
> > > >
> > > > Ron DuFresne
> >
> > I agree, if this was a production box...then any shell 
> account I had 
> > would either be set up for something like "scp only" for a 
> "web host", 
> > or jailed very tightly..along with every other service 
> running on the 
> > box. I was just saying, that if I install my box, and apply every 
> > available patch, I would expect it to be free of local 
> exploits as well as remote ones.
> >
>
> Unless you know and trust all the folks you share shells with 
> on the net, be concerned.
>
> expect nothing, you now have a clue.  Oh, and understand, 
> even the pay large sums vendors face the same issues, hp, 
> solaris, sgi, etc, same issues.  Make  all choices carefully 
> with full awareness of the consquences of the choices you make.

I had a "clue" before. We tell people that "after you install, patch
everything and turn off unneeded services". I guess we should say, "go ahead
and do all that, but you're still screwed". 

> Thanks,
>
> Ron DuFresne


I don't disagree with anything you say...I guess I just have that "damned if
you do, damned if you don't" kind of feeling.

--stephen 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html