Attacks against SSH?

Date: 12/03/01

Date: Mon, 03 Dec 2001 08:30:23 +0100

I stumbeled over this post at openssh-unix-dev mailinglist last week -
The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for
RedHat 7.0) up and running when he received what looks to be a
CRC32-attack. A few minutes later you can see (he posted parts of the
logfile) a new user being created with uid=0 and then how an connection
is made from system in Israel.

There has been no confirmation about what he writes but I recieved the
following mail as an answer of my questions.

------ Message ------
I posted an openssh security alert earlier today and already got some
Thanks for everything.

Instead of replying to everyone individually I composed the details of


It does not look like a job of worms.
Snort did not detect mass port scan from attacker's ip address. It seems
that he (I assumed, so I don't have to type he/she all the way) just
to gain access through openssh.

The server is running Red Hat 7.0. With all packages up to date. The
following daemons are running: wu-ftpd, apache, telnet, openssh, named
I never access the system via telnet, it is there just for backup

> > Nov 25 11:37:40 ns sshd[10994]: Disconnecting: crc32 compensation
> > network attack detected
> > Nov 25 11:37:48 ns sshd[11006]: Disconnecting: Corrupted check bytes on
> > input.
> > Nov 25 11:37:53 ns sshd[11013]: Disconnecting: Corrupted check bytes on
> > input.
> > Nov 25 11:37:54 ns sshd[11014]: Disconnecting: Corrupted check bytes on
> > input.
> > Nov 25 11:40:00 ns CROND[11022]: (root) CMD ( /sbin/rmmod -as)
> > Nov 25 11:40:08 ns adduser[11023]: new group: name=mattanl, gid=528
> > Nov 25 11:40:08 ns adduser[11023]: new user: name=mattanl, uid=528,
> > home=/home/mattanl, shell=/bin/bash
> > Nov 25 11:40:27 ns adduser[11027]: new group: name=mattan, gid=529
> > Nov 25 11:40:27 ns adduser[11027]: new user: name=mattan, uid=0,
> > home=/home/mattan, shell=/bin/bash

After the attacker gained root access. He created two users mattan and
He then downloaded a package: wget
The target site has been compromised. (hacked by a hacker group in
This is a login replacement package, it logs the user id and passwords.
modified rk.h to:
#define MY_LOGFILE "/dev/ttypz"
#define MY_PASSWORD "1245890"
After he complied and installed the login replacement. Something went
/bin/login was zero bytes in length. So when he came back using telnet,
was denied of access. I also disabled sshd and kept one session open for
remote control after found login was replaced. I md5 checked the system
against a good backup, nothing else was altered.

I will try to sniff all packets come to my this server on ssh port. If
attempts to crack the server again, I will have more details. But I
guess I
will have to turn the server back on.

Thanks for all you time
------ End of message ------

I had some further questions so I mailed the guy once again but has not
recieved any answer.

So, to he main question.
Has anyone else had a system compromised by the CRC32-attack when
running a version of sshd that is believed to be secure? OpenSSH-2.3.0
or later, SSH 1.2.32 or later.

/Johan Augustsson

Johan Augustsson Phone: +46 (0)31 773 1000
Incident Response Team Fax: +46 (0)31 773 1087
Göteborg University E-mail:

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: