Re: openssh vulnerability WITH TCP DUMP!
This is a discussion on Re: openssh vulnerability WITH TCP DUMP! within the OpenSSH Development forums, part of the Networking and Network Related category; On Fri, 04 Nov 2005 11:54:14 +0100 Evert van de Waal <evert.vandewaal@imtech.nl> wrote: &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-04-2005
|
|||
|
|||
Re: openssh vulnerability WITH TCP DUMP!
On Fri, 04 Nov 2005 11:54:14 +0100
Evert van de Waal <evert.vandewaal@imtech.nl> wrote: > Hi Guys, > > My Debian box has been hacked a few days ago using an OpenSSH > vulnerability. Subsequently my box was used for sending spam and as a > hacking platform (according to my ISP). How do you know it was an OpenSSH vulnerability? You have provided no evidence for this theory, indeed quite the opposite. > The aut.log file shows the following: > Nov 4 06:25:01 localhost su[5715]: + ??? root:nobody > Nov 4 06:25:01 localhost su[5715]: (pam_unix) session opened for user > nobody by > (uid=0) OpenSSH doesn't use uid nobody for anything. So, unless you had a bad password set for your nobody account or you broke your PAM configuration in some way, it probably wasn't OpenSSH that was used to break in to your system. Since you didn't actually post any logs of a break-in (just a later privilege escalation), it is impossible to tell. > In the auth.log from my hacked box, I also had these lines. However, I > could not correlate them to TCP messages, so they didn't help me. Now, I > do have a full tcp dump ;-) What you posted isn't a tcpdump, it is just a hex packet dump. Have you gone out of your way to make it hard to read your packet trace? Even snoop output would have been easier... > In the dump file, I found three simple messages that did the job: > > First: A SYN request to the ssh port > > 0000 00 01 80 57 16 3d 00 90 d0 af 86 eb 08 00 45 00 ...W.=.. ......E. > 0010 00 30 3c 2d 00 00 74 06 1b fd d2 f0 11 2c 0a 00 .0<-..t. .....,.. > 0020 00 82 d6 d3 00 16 7e c1 e4 5f 75 72 0c 80 70 02 ......~. ._ur..p. > 0030 ff ff d8 83 00 00 02 04 05 b4 01 01 04 02 ........ ...... > > Next the reply from my box (SYN ACK): > 0000 00 90 d0 af 86 eb 00 01 80 57 16 3d 08 00 45 00 ........ .W.=..E. > 0010 00 30 00 00 40 00 40 06 4c 2a 0a 00 00 82 d2 f0 .0..@.@. L*...... > 0020 11 2c 00 16 d6 d3 55 c4 46 41 7e c1 e4 60 70 12 .,....U. FA~..`p. > 0030 16 d0 a7 8f 00 00 02 04 05 b4 01 01 04 02 ........ ...... > > An then the killer. A RST message. The weird ACK (2856040895 according > to ethereal) seems to be the culprit: > 0000 00 01 80 57 16 3d 00 90 d0 af 86 eb 08 00 45 00 ...W.=.. ......E. > 0010 00 28 a3 31 40 00 34 06 b5 00 d2 f0 11 2c 0a 00 .(.1@.4. .....,.. > 0020 00 82 d6 d3 00 16 7e c1 e4 60 00 00 00 00 50 04 ......~. .`....P. > 0030 00 00 87 36 00 00 00 00 00 00 00 00 ...6.... .... This is not an attack on OpenSSH, it looks like a type of stealth portscan that completes enough of the 3-way handshake to avoid synproxy devices but not enough to activate daemons (thereby leaving spoor in the logs). Someone more interested could probably match it back to one of nmap's modes. BTW ethereal reported the wrong ack sequence number (or you transposed it wrong). -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@mindrot.org http://www.mindrot.org/mailman/listi...enssh-unix-dev 
|
Linear Mode
