Re: SSH attacks?

From: Chris Brenton (cbrenton_at_chrisbrenton.org)
Date: 07/29/04

  • Next message: Jyri Hovila: "Re: SSH attacks?"
    To: Jyri Hovila <jyri.hovila@iki.fi>
    Date: Thu, 29 Jul 2004 15:03:21 -0400
    
    

    On Wed, 2004-07-28 at 15:05, Jyri Hovila wrote:
    >
    > It seems that at least one host has been rooted somehow relating to the
    > scans we're seeing:
    >
    > http://www.dslreports.com/forum/remark,10854834~mode=flat~days=9999~start=60

    More than just one. I'm willing to bet every source IP that hits you was
    compromised the same way.

    One interesting tid bit I've noticed is that every source IP I've
    checked had SQL listening. Not sure if its related or a coincidence.

    > I'm pretty sure there is a new SSH exploit around. At least this clearly
    > isn't a brute force attack.

    I guess I don't see how you are drawing that conclusion. To quote from
    the link you provided above:

    [QUOTE]
    Jul 12 22:26:51 server sshd[12868]: Accepted password for test from
    130.15.15.239 port 1954 ssh2
    Jul 12 22:42:35 server sshd[13998]: Accepted password for test from
    216.55.164.10 port 56454 ssh2
    [/QUOTE]

    IMHO this *is not* an exploit, but rather a connection due to a poor
    password policy for the user "test" (in other words, this is classic
    brute force). You could be running an outdated SSH version, use good
    passwords, and be totally safe from this type of attack (not that I'm
    advocating running outdated software, just trying to make a point).

    > As we are seeing lots of scans, but only few
    > rooted hosts, it really doesn't look like a worm either. Someone seems
    > to be scanning for vulnerable SSH daemons, obviously using previously
    > rooted hosts, and then roots vulnerable hosts of his/her choice
    > manually.

    Based on the info I've seen, I believe the brute force portion is
    automated while the actual toolkit install and "rooting" is being done
    manually. It looks too much like a newbie fumbling around.

    > As I wrote in my previous message, I think it's a good choise to limit
    > access to SSH until this issue is solved.

    Always a good idea, but if it was me I would grab a copy of John The
    Ripper, the passwd & shadow files, and ensure you are using decent
    password on all of your accounts.

    HTH,
    Chris


  • Next message: Jyri Hovila: "Re: SSH attacks?"

    Relevant Pages

    • Re: SSH: remote login returns "invalid user"
      ... do you differentiate between client hosts and server hosts and most ... with your current account being "brownh" and you ... At present, I have three or four hosts on a LAN, and I can ssh from ...
      (Debian-User)
    • Re: openssh concerns
      ... in to ssh. ... No protection is afforded against DNS poisoning, ... Hosts with no reverse DNS ... big service providers like google and hotmail. ...
      (FreeBSD-Security)
    • Re: IPV6 & pf
      ... das einzige was mir auffällt sind icmpv6 Fehler. ... Oben sieht man die funktionierende Verbindung, ... Wenn Du auf beiden Hosts tcpdump vergleichst, ... ssh auch direkt pingen. ...
      (de.comp.os.unix.bsd)
    • Re: Whats the deal on the -X vs -Y thing?
      ... As a quick fix you could use something like this as your remote ssh ... chain is compromised (eg at either the tty layer, X11 forwarding port ... forwarding would not be needed on the intermediate hosts. ...
      (comp.security.ssh)
    • Re: Apache Software Foundation Server compromised, resecured. (fwd)
      ... >> to selectively forward keys to hosts, or express policy regarding whether ... >> keys are then forwarded by the host you have connected to. ... My biggest complaint with ssh is the way ...
      (FreeBSD-Security)