openssh vulnerability WITH TCP DUMP!
This is a discussion on openssh vulnerability WITH TCP DUMP! within the OpenSSH Development forums, part of the Networking and Network Related category; Hi Guys, My Debian box has been hacked a few days ago using an OpenSSH vulnerability. Subsequently my box was ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-04-2005
|
|||
|
|||
openssh vulnerability WITH TCP DUMP!
Hi Guys,
My Debian box has been hacked a few days ago using an OpenSSH vulnerability. Subsequently my box was used for sending spam and as a hacking platform (according to my ISP). I was running a fairly recent version of OpenSSH (3.9p1). I reinstalled my box (now with 3.8p1 as supplied by Debian Stable), and started tcpdump to see if I would get lucky. I DID! The aut.log file shows the following: Nov 4 06:25:01 localhost su[5715]: + ??? root:nobody Nov 4 06:25:01 localhost su[5715]: (pam_unix) session opened for user nobody by (uid=0) In the auth.log from my hacked box, I also had these lines. However, I could not correlate them to TCP messages, so they didn't help me. Now, I do have a full tcp dump ;-) In the dump file, I found three simple messages that did the job: First: A SYN request to the ssh port 0000 00 01 80 57 16 3d 00 90 d0 af 86 eb 08 00 45 00 ...W.=.. ......E. 0010 00 30 3c 2d 00 00 74 06 1b fd d2 f0 11 2c 0a 00 .0<-..t. .....,.. 0020 00 82 d6 d3 00 16 7e c1 e4 5f 75 72 0c 80 70 02 ......~. ._ur..p. 0030 ff ff d8 83 00 00 02 04 05 b4 01 01 04 02 ........ ...... Next the reply from my box (SYN ACK): 0000 00 90 d0 af 86 eb 00 01 80 57 16 3d 08 00 45 00 ........ .W.=..E. 0010 00 30 00 00 40 00 40 06 4c 2a 0a 00 00 82 d2 f0 .0..@.@. L*...... 0020 11 2c 00 16 d6 d3 55 c4 46 41 7e c1 e4 60 70 12 .,....U. FA~..`p. 0030 16 d0 a7 8f 00 00 02 04 05 b4 01 01 04 02 ........ ...... An then the killer. A RST message. The weird ACK (2856040895 according to ethereal) seems to be the culprit: 0000 00 01 80 57 16 3d 00 90 d0 af 86 eb 08 00 45 00 ...W.=.. ......E. 0010 00 28 a3 31 40 00 34 06 b5 00 d2 f0 11 2c 0a 00 .(.1@.4. .....,.. 0020 00 82 d6 d3 00 16 7e c1 e4 60 00 00 00 00 50 04 ......~. .`....P. 0030 00 00 87 36 00 00 00 00 00 00 00 00 ...6.... .... I don't have a clue how this could cause a session for nobody to be started, I hope this is useful information for you to nail this thing. Or perhaps you have already nailed it, but I didn't find any information on this vulnerability in Google. If you need more information, please let me know. Good luck, Evert _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://www.mindrot.org/mailman/listi...enssh-unix-dev 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 07:25 PM.
