Full Disclosure mailing list archives
RE: !SPAM! Automated ssh scanning
From: Stephen Agar <Stephen.Agar () bmhcc org>
Date: Thu, 26 Aug 2004 15:48:06 -0500
Somehow, this message got to me before Ron's reply did, so I will respond to both inline.On Thu, 26 Aug 2004 12:26:04 -0500 (CDT), Ron DuFresne <dufresne () winternet com> wrote:On Thu, 26 Aug 2004, Stephen Agar wrote:I think many of you are missing the point. Yes theguest/guestaccount is weak, but this kernel is (according to debian) patched..therefore free from local exploits that can beused to gainsuperuser access. I mean if this were the case, then any box that ran this version of debian to do something like "webhosting" thatgave users shell access, may as well give them all full sudo. Because you people are assuming that if someone can gainaccess to the box, secured or not, they can gain root..i disagree.The issue here is why does debain include such a weakaccount,m thaqthas not been tamed via a very restricted chroot env!?That is one issue, but given that I haven't installeddebian in years,I can't really answer it. However, I don't think it's the "main" issue. The main issue to me is, if I do install debian, and give an account to a friend (albeit not a trusted friend), do Ihave to worry about a "fully patched"box still getting rooted via a local exploit?most likely.That's not the issue though. As someone who has installed and maintained debian systems over a period of years, I canassure youthat debian does not include a guest account (or anyaccount) with aweak password or shell. There aren't any shell accounts other than root on adebian installuntil added by the administrator. The weak account in question here was created by theoriginal posterwith the intent of catching one of these apparently automated ssh attacks.If he did create those accounts himself for "honeypot"purposes, andthis isnt default on that debian install then it has shown us all something. It has opened the flood gates for discussion about local exploits in that particular install, that we would assumewere patched(unless they are undisclosed vulns..but do we really thinkthe scriptkiddies have that many 0day exploits...yikes!)how many times in the last year has kde or gnome been patched to deal with a particular security issue? How about the kernel? apache? openssl? etc..., now consider what one poster said a few replies back about there being undisclosed holes in merely the kernel for linux, then reconsider his statements inline with all the packages installed in a desktop, server etc offered by the various dists setups... Now to tweak the issues tightly into mind, look at how many updated RPM's or DBM's or what yer fav dist formats it's packages and understand, the vast majority of those updated packages are there because they addressed security issues from this and the various other lists on the topic... Then, take a deep breath so as to not turn purple once you have taken this in....
Yes...of course things have to be discovered, and brought to the attention of the appropriate people..and take time to be fixed. If someone with the appropriate skills wants to get into your box...unless it's totally inaccessible to the world, they can probably find a way. I however don't think the culprit in this case was anything more than a kiddie who downloaded "brutessh2" and another publically known exploit..and used it. However, as is often the case..I could be totally wrong.
As Barry pointed to directly, it all depends upon what you make available to your clients once in a shell. It;s verylikely yourserver would be as exploitable as most 'default' installswith the kitchen sink dropped in.Perhaps not, but likely, depending upon what you 'installedand allowclients access to'. Thanks, Ron DuFresneI agree, if this was a production box...then any shellaccount I hadwould either be set up for something like "scp only" for a"web host",or jailed very tightly..along with every other servicerunning on thebox. I was just saying, that if I install my box, and apply every available patch, I would expect it to be free of localexploits as well as remote ones.Unless you know and trust all the folks you share shells with on the net, be concerned. expect nothing, you now have a clue. Oh, and understand, even the pay large sums vendors face the same issues, hp, solaris, sgi, etc, same issues. Make all choices carefully with full awareness of the consquences of the choices you make.
I had a "clue" before. We tell people that "after you install, patch everything and turn off unneeded services". I guess we should say, "go ahead and do all that, but you're still screwed".
Thanks, Ron DuFresne
I don't disagree with anything you say...I guess I just have that "damned if you do, damned if you don't" kind of feeling. --stephen _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Re: !SPAM! Automated ssh scanning, (continued)
- Re: Re: !SPAM! Automated ssh scanning Maarten (Aug 28)
- Re: Re: !SPAM! Automated ssh scanning gadgeteer (Aug 28)
- Re: Re: Re: !SPAM! Automated ssh scanning Maarten (Aug 29)
- Re: Re: Re: !SPAM! Automated ssh scanning gadgeteer (Aug 29)
- Re: Re: Re: Re: !SPAM! Automated ssh scanning Maarten (Aug 29)
- Re: !SPAM! Automated ssh scanning gadgeteer (Aug 29)
- Re: Re: !SPAM! Automated ssh scanning Ron DuFresne (Aug 28)
- RE: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- Re: !SPAM! Automated ssh scanning gadgeteer (Aug 28)