Re: openssh vulnerability WITH TCP DUMP!

On Fri, Nov 04, 2005 at 11:54:14AM +0100, Evert van de Waal wrote:
> My Debian box has been hacked a few days ago using an OpenSSH
> vulnerability. Subsequently my box was used for sending spam and as a
> hacking platform (according to my ISP).

Why do you think this is an OpenSSH vulnerability? I've only partly
decoded the traces but it looks like the ssh connection was being
dropped immediately after establishment (such as would be expected if,
eg, you are using tcpwrappers). There's no SSH traffic at all, not even
the protocol handshake.

> I was running a fairly recent version of OpenSSH (3.9p1). I reinstalled
> my box (now with 3.8p1 as supplied by Debian Stable), and started
> tcpdump to see if I would get lucky. I DID!

3.9p1 built from vanilla source? If so, built with what options?
If not, where did you get it?

> The aut.log file shows the following:
> Nov 4 06:25:01 localhost su[5715]: + ??? root:nobody
> Nov 4 06:25:01 localhost su[5715]: (pam_unix) session opened for user
> nobody by (uid=0)

I don't think that's related. It's a su from root to nobody, and there
seems to be some job in the base Debian installation that does that
at 06:25 (probably the updatedb job).

The sshd syslog entries would be more interesting. I suspect they'll say
"refused connection from (some IP)".

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev