Educause Security Discussion mailing list archives

Re: Previous Thread on Increased Probes

From: Robin Jacobsen <jacobsen () SWARTHMORE EDU>
Date: Fri, 23 Jul 2004 11:02:37 -0400

Yes, there was an intrusion into one of our Macs running 10.3.4 with all
updates applied. The hacker attempted to use the machine in question for a
DDOS attack outside the College.  The path appears to have been the
not-quite-up-to-date version of SSH that Apple shipped with these computers
as well as a surprising omission in the configuration file that controls
the SSH service. SSH service is through port 22. Fortunately, the Mac comes
with Remote Login (SSH) turned off, so this will not affect most users.

Approaches to address the problem (temporarily):
1.(Easy) If possible, turn off Remote Login (System Preferences, Sharing Pane)
2. (Moderate) If SSH must be enabled, edit the /etc/sshd_config file. The
line "#Protocol 2,1" should be changed.  It should read "Protocol 2" in
order to limit connections to the newer SSH 2 version of that
protocol.  The machine should be rebooted once this change has been made
and saved.  To edit this file you will need to use a command line text
editor in the Terminal with sudo priviledges.  Thus you could type:
        1. sudo pico /etc/sshd_config
        2. provide the admin password
        3. use the arrow keys to get to the line that contains "#Protocol 2,1"
        4. delete the "#" and the ",1" to make the line read "Protocol 2"
        5. use ctrl-x to Exit the program
        6. type "y" to save, and return to accept the file name of
"/etc/sshd_config"
        7. Quit the Terminal Application and Reboot the Mac
3. (Harder) Update SSH and SSL yourself (generally difficult if you don't
know what you're doing)

We've been in contact with Apple about this and we're continuing to
investigate the intrusion to look for any more clues about the means by
which it was accomplished.  The ultimate solution will be for Apple to
issue an update that brings the installed version of OpenSSL and OpenSSH up
to current standards.

Yours,

Robin


At 10:40 AM 7/23/2004, you wrote:

Sorry to bring this up again but a colleague at another university has
asked me if anyone has seen a recent flood of attacks on their address
space similar to what he experienced a couple of weeks ago.  I remember
there was some talk, maybe on this list, about seeing incoming packets
from many sources with numbers near a thousand.  But in cleaning out my
Inbox after a vacation, I must have deleted that information.

Here is a sample of some of the traffic from one source found in his
logs:

Jul  9 21:21:54 gateway 1305838: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:54 gateway 1305839: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:54 gateway 1305841: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305842: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305843: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
Jul  9 21:21:55 gateway 1305845: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305846: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305848: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:55 gateway 1305849: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets
Jul  9 21:21:55 gateway 1305850: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:56 gateway 1305852: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:56 gateway 1305853: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 1 packet
Jul  9 21:21:56 gateway 1305856: 2d14h: %SEC-6-IPACCESSLOGP: list 120
permitted tcp 68.100.46.121(41085) -> xxx.xxx.2.10(23), 2 packets


Is this what others were seeing, an attack on port 23?  Has anyone
determined the purpose of this flood?

Thanks!

Lois Lehman
College Network Security Manager
Physical Sciences Computer Support Manager
College of Liberal Arts & Sciences
Arizona State University
480-965-3139

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Previous Thread on Increased Probes Lois Lehman (Jul 23)
- <Possible follow-ups>
- Re: Previous Thread on Increased Probes Robin Jacobsen (Jul 23)