Full Disclosure mailing list archives
Re: sshd logins without a source
From: Bacanu Adrian-Daniel <darkzatarra () yahoo com>
Date: Fri, 23 Sep 2011 03:05:51 -0700 (PDT)
Hi, Your problem is related to a sshd sniffer. It is another implementation of the usually sshd server which does not logs anything and uses the same port 22 (as default) but it can also be changed. You are trying to solve the problem or to reproduce the "attack"? If you choose the first part you can track the intruder when he is logged on by netstat command. If you try to get its ip from any default log (system or daemon) your work will be in van. If you try to get rid of it try to reinstall the sshd server or change the sshd_config file. There are also few tricks to get rid of such situations, but they are a lil bit complicated. If you are trying to reproduce the "attack" you have to implement a preconfigured sshd server. I already did such a thing and it worked almost perfectly, there are still few actions that can be hidden only by scripting. It is not such a hard thing to do. If you really want to catch all the steps try implement a honeypot on one of your test servers. I wish you good luck, --------------------------------- Adrian-Daniel Bãcanu --------------------------------- ________________________________ From: BH <lists () blackhat bz> To: full-disclosure () lists grok org uk Sent: Friday, September 23, 2011 4:45 AM Subject: [Full-disclosure] sshd logins without a source Hi, I am taking a look at a few different servers that have been rooted at around the same time. At the time of the compromise I can see in each servers sshd logs an entry like the following: Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session opened for user root by (uid=0) Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session closed for user root Each of the servers has the same sort of entry in the log that match with the time that extra processes were being executed. Having a look at all other available logs (that were logged remotely) I can't see anything else that relates to the same event. To me it seems odd that there is no IP address corresponding with the login, I can't seem to reproduce that on my test servers. I also can't see the authentication method used as that isn't logged. Has anyone seen this before and know how this is done? Thanks _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- sshd logins without a source BH (Sep 23)
- Re: sshd logins without a source Guillaume Friloux (Sep 23)
- Re: sshd logins without a source paul . szabo (Sep 23)
- Re: sshd logins without a source Laurelai (Sep 23)
- Re: sshd logins without a source paul . szabo (Sep 23)
- Re: sshd logins without a source BH (Sep 23)
- Re: sshd logins without a source Laurelai (Sep 23)
- Re: sshd logins without a source paul . szabo (Sep 23)
- Re: sshd logins without a source Jason A. Donenfeld (Sep 26)
- Re: sshd logins without a source Laurelai (Sep 23)
- Re: sshd logins without a source james (Sep 23)
- <Possible follow-ups>
- Re: sshd logins without a source Nikolaos Mitsis (Sep 26)