Re: sshd logins without a source

[Bacanu Adrian-Daniel <darkzatarra () yahoo com>]

Hi,

Your problem is related to a sshd sniffer. It is another implementation of the usually sshd server which does not logs 
anything and uses the same port 22 (as default) but it can also be changed.

You are trying to solve the problem or to reproduce the "attack"?

If you choose the first part you can track the intruder when he is logged on by netstat command. If you try to get its 
ip from any default log (system or daemon) your work will be in van. If you try to get rid of it try to reinstall the 
sshd server or change the sshd_config file. There are also few tricks to get rid of such situations, but they are a lil 
bit complicated.

If you are trying to reproduce the "attack" you have to implement a preconfigured sshd server. I already did such a 
thing and it worked almost perfectly, there are still few actions that can be hidden only by scripting. It is not such 
a hard thing to do. If you really want to catch all the steps try implement a honeypot on one of your test servers.

I wish you good luck,

 
---------------------------------
Adrian-Daniel Bãcanu
---------------------------------


________________________________
From: BH <lists () blackhat bz>
To: full-disclosure () lists grok org uk
Sent: Friday, September 23, 2011 4:45 AM
Subject: [Full-disclosure] sshd logins without a source

Hi,

I am taking a look at a few different servers that have been rooted at
around the same time. At the time of the compromise I can see in each
servers sshd logs an entry like the following:

Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session
opened for user root by (uid=0)
Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session
closed for user root

Each of the servers has the same sort of entry in the log that match
with the time that extra processes were being executed. Having a look at
all other available logs (that were logged remotely) I can't see
anything else that relates to the same event. To me it seems odd that
there is no IP address corresponding with the login, I can't seem to
reproduce that on my test servers. I also can't see the authentication
method used as that isn't logged. Has anyone seen this before and know
how this is done?

Thanks

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/