Security Incidents mailing list archives

Re: Attacks against SSH?

From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert () uumail gov bc ca>
Date: Mon, 03 Dec 2001 13:10:27 -0800

Wu-ftpd raises a red flag, as it more likely to be the compromise
vehicle than OpenSSH.  I'm not ruling out OpenSSH, however without any 
proof, just conjecture based upon incomplete log information (we don't 
know if wu-ftpd was logging anything), we really don't know whether 
OpenSSH or wu-ftpd was the entry point.

Additionally, I notice that the hostname is "ns".  Could BIND be 
running on this system?  Has BIND been ruled out as a point of 
compromise?

I'm not saying that it's not OpenSSH.  I'm pointing out that especially 
during compromise investigations we need to avoid jumping to 
conclusions.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team      Email:  Cy.Schubert () osg gov bc ca
Open Systems Group, ITSD
Ministry of Management Services
Province of BC

In message <3C0B2A0F.944E79A3 () adm gu se>, johan.augustsson () adm gu se writes:


I stumbeled over this post at openssh-unix-dev mailinglist last week -
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2
The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for
RedHat 7.0) up and running when he received what looks to be a
CRC32-attack. A few minutes later you can see (he posted parts of the
logfile) a new user being created with uid=0 and then how an connection
is made from system in Israel.

There has been no confirmation about what he writes but I recieved the
following mail as an answer of my questions.

------ Message ------
I posted an openssh security alert earlier today and already got some
responses.
Thanks for everything.

Instead of replying to everyone individually I composed the details of
the
attack.

+++

It does not look like a job of worms.
Snort did not detect mass port scan from attacker's ip address. It seems
that he (I assumed, so I don't have to type he/she all the way) just
wants
to gain access through openssh.

The server is running Red Hat 7.0. With all packages up to date. The
following daemons are running:  wu-ftpd, apache, telnet, openssh, named
I never access the system via telnet, it is there just for backup
purpose.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Attacks against SSH?, (continued)
- - Re: Attacks against SSH? Jason Robertson (Dec 04)
    - Re: Attacks against SSH? f.johan.beisser (Dec 04)
    - SSH1 CRC32 Compensation Attacks Armando B. Ortiz (Dec 10)
    - Re: SSH1 CRC32 Compensation Attacks Andreas Östling (Dec 10)
    - Re: SSH1 CRC32 Compensation Attacks Armando Ortiz (Dec 10)
  - Re: Attacks against SSH? Florian Weimer (Dec 04)
- Re: Attacks against SSH? Armando B. Ortiz (Dec 03)
  - Re: Attacks against SSH? Steven S (Dec 03)
  - Re: Attacks against SSH? Adam Manock (Dec 04)
- Re: Attacks against SSH? Andreas Wiesmann (Dec 03)
- Re: Attacks against SSH? Cy Schubert - ITSD Open Systems Group (Dec 03)
- Message not available
  - Message not available
    - Message not available
    - Re: Attacks against SSH? johan . augustsson (Dec 06)
- RE: Attacks against SSH? CHURCH,GENO (Non-HP-USA,ex1) (Dec 04)
- Re: Attacks against SSH? Russell Fulton (Dec 05)
  - Re: Attacks against SSH? David Chin (Dec 05)
  - Re: Attacks against SSH? Skip Carter (Dec 05)
    - Re: Attacks against SSH? Skip Carter (Dec 06)