Re: Attacks against SSH?

From: Cy Schubert - ITSD Open Systems Group (Cy.Schubertat_private)
Date: Mon Dec 03 2001 - 13:10:27 PST

Next message: Steven S: "Re: Attacks against SSH?"

Previous message: Andreas Wiesmann: "Re: Attacks against SSH?"
In reply to: johan.augustssonat_private: "Attacks against SSH?"
Next in thread: CHURCH,GENO (Non-HP-USA,ex1): "RE: Attacks against SSH?"
Next in thread: f.johan.beisser: "Re: Attacks against SSH?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Wu-ftpd raises a red flag, as it more likely to be the compromise
vehicle than OpenSSH.  I'm not ruling out OpenSSH, however without any 
proof, just conjecture based upon incomplete log information (we don't 
know if wu-ftpd was logging anything), we really don't know whether 
OpenSSH or wu-ftpd was the entry point.

Additionally, I notice that the hostname is "ns".  Could BIND be 
running on this system?  Has BIND been ruled out as a point of 
compromise?

I'm not saying that it's not OpenSSH.  I'm pointing out that especially 
during compromise investigations we need to avoid jumping to 
conclusions.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team      Email:  Cy.Schubertat_private
Open Systems Group, ITSD
Ministry of Management Services
Province of BC

In message <3C0B2A0F.944E79A3at_private>, johan.augustssonat_private writes:
> 
> I stumbeled over this post at openssh-unix-dev mailinglist last week -
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2
> The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for
> RedHat 7.0) up and running when he received what looks to be a
> CRC32-attack. A few minutes later you can see (he posted parts of the
> logfile) a new user being created with uid=0 and then how an connection
> is made from system in Israel.
> 
> There has been no confirmation about what he writes but I recieved the
> following mail as an answer of my questions.
> 
> ------ Message ------
> I posted an openssh security alert earlier today and already got some
> responses.
> Thanks for everything.
> 
> Instead of replying to everyone individually I composed the details of
> the
> attack.
> 
> +++
> 
> It does not look like a job of worms.
> Snort did not detect mass port scan from attacker's ip address. It seems
> that he (I assumed, so I don't have to type he/she all the way) just
> wants
> to gain access through openssh.
> 
> The server is running Red Hat 7.0. With all packages up to date. The
> following daemons are running:  wu-ftpd, apache, telnet, openssh, named
> I never access the system via telnet, it is there just for backup
> purpose.



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Steven S: "Re: Attacks against SSH?"
Previous message: Andreas Wiesmann: "Re: Attacks against SSH?"
In reply to: johan.augustssonat_private: "Attacks against SSH?"
Next in thread: CHURCH,GENO (Non-HP-USA,ex1): "RE: Attacks against SSH?"
Next in thread: f.johan.beisser: "Re: Attacks against SSH?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 15:30:27 PST