Security Incidents mailing list archives

RE: possible ssh hack

From: "Loki" <loki () fatelabs com>
Date: Wed, 11 Sep 2002 15:02:51 -0400
Also.. Check your /var/log/messages file and your
/path/to/apache/logs/error_log for the following items. The Log
Forensics team at Fate Labs recently did an analysis of apache-nosejob
and sshd.
Here are some common footprints those exploits leave.

------- apache chunking exploit ---------

[Sat Aug 31 02:38:15 2002] [notice] Apache/1.3.24 (Unix) configured --
resuming normal operations
[Sat Aug 31 02:38:15 2002] [notice] Accept mutex: flock (Default: flock)
[Sat Aug 31 02:38:25 2002] [notice] child pid 18709 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:25 2002] [notice] child pid 2755 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:25 2002] [notice] child pid 28354 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:25 2002] [notice] child pid 27110 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:25 2002] [notice] child pid 28888 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:25 2002] [notice] child pid 32142 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:27 2002] [notice] child pid 6740 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:27 2002] [notice] child pid 21507 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:28 2002] [notice] child pid 4969 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:28 2002] [notice] child pid 27417 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:28 2002] [notice] child pid 14010 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:28 2002] [notice] child pid 12271 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:29 2002] [notice] child pid 16779 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:29 2002] [notice] child pid 23834 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:29 2002] [notice] child pid 17386 exit signal
Segmentation fault (11)
[Sat Aug 31 02:38:29 2002] [notice] child pid 12003 exit signal
Segmentation fault (11)

------- sshd crc32 ---------

Aug 28 16:59:20 research () fatelabs net sshd[29178]: log: Connection from
192.168.0.1port 56215
Aug 28 16:59:28 research () fatelabs net sshd[29179]: log: Connection from
192.168.0.1port 59150
Aug 28 16:59:35 research () fatelabs net sshd[29180]: log: Connection from
192.168.0.1port 51777
Aug 28 16:59:42 research () fatelabs net sshd[29180]: fatal: Local:
Corrupted check bytes on input.
Aug 28 16:59:42 research () fatelabs net sshd[29181]: log: Connection from
192.168.0.1port 53554
Aug 28 16:59:49 research () fatelabs net sshd[29182]: log: Connection from
192.168.0.1port 63955
Aug 28 16:59:55 research () fatelabs net sshd[29182]: fatal: Local:
Corrupted check bytes on input.
Aug 28 17:03:38 research () fatelabs net sshd[29212]: fatal: Local: crc32
compensation attack: network attack detected

------------------------------

The biggest talltale sign that an SSHD attack took place are attempts to
connect to the SSHD process from the same IP Address dozens of times,
and of course... A warning from the SSHD process that a crc32
compensation attack is being detected.

To get packet dumps from the attacks we ran, goto
http://www.fatelabs.com and click on Research -> Log Project

Hope this helps.

Eric/Loki
Fate Research Labs
www.fatelabs.com















-----Original Message-----
From: Ver Allan Sumabat [mailto:ver_allan () yahoo com] 
Sent: Tuesday, September 10, 2002 6:08 AM
To: incidents () securityfocus com
Subject: possible ssh hack


Hi,

We have just recently been hacked. I have no idea how
he came in. Here are my preliminary investigations:

1. He was able to add a user without logging in.

**Unmatched Entries**
Sep  5 10:39:33 srv1 sshd[20514]: Could not reverse
map address 10.13.41.4.
Sep  5 10:39:35 srv1 sshd[20514]: Accepted password
for root from 10.13.41.4
port 4207
Sep  5 17:30:36 srv1 sshd[23299]: Could not reverse
map address 10.13.41.4.
Sep  5 17:30:41 srv1 sshd[23299]: Accepted password
for root from 10.13.41.4
port 2491
Sep  5 22:16:59 srv1 useradd[23532]: new group:
name=war, gid=502
Sep  5 22:16:59 srv1 useradd[23532]: new user:
name=war, uid=502, gid=502,
home=/home/war, shell=/bin/bash
Sep  5 22:17:31 srv1 sshd[23534]: Accepted password
for war from
212.179.207.211 port 2746
Sep  5 22:19:17 srv1 sshd[23580]: fatal: Read from
socket failed: Connection
reset by peer
Sep  5 22:21:48 srv1 sshd[928]: Received SIGHUP;
restarting.


2. He installed a tarball w00tkit.tgz in /home/war

3. After running chkrootkit, the significant lines
are:

...
Checking `ifconfig'... INFECTED
...
Searching for Showtee... Warning: Possible Showtee
Rootkit installed
...
Checking `lkm'... You have     1 process hidden for ps
command
Warning: Possible LKM Trojan installed

4. ssh won't run anymore

Can anyone help me on how the intrusion was done?

Thanks.

Regards,

Allan

__________________________________________________
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
http://dir.remember.yahoo.com/tribute

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Current thread:

possible ssh hack Ver Allan Sumabat (Sep 10)
- Re: possible ssh hack Alvin Oga (Sep 10)
- Re: possible ssh hack Adam Bultman (Sep 10)
- RE: possible ssh hack Loki (Sep 11)
- RE: possible ssh hack Loki (Sep 11)