Hello. Recently I discovered some kind of exploit of openssh used against me. For configuration info, I am using Mandrake 8.2 with the openssh package openssh-3.1p1-1mdk. Fortunately, I was at least somewhat security-aware, and have an AllowUsers parameter in my sshd config file. I Used to allow only public key logins, but ditched that when I found myself needing access from multiple places. I was behind my provider's firewall until recently, when I decided to allow connections from the net (To host my own web site), so this might be an old one (And I'd guess, since I first opened up the firewall on Feb 4 2003. Anyway, The services I have (that is, had) running, are httpd (httpd and httpd-perl in mandrake), sshd, and xdm. (All default mandrake, no source builds). The following is a log snippet. What's going on?: ps, I am _NOT_ reading this list, so please cc: all replies to me. Thanks Feb 5 09:29:09 narnia adduser[15054]: new user: name=telnet, uid=0, gid=0, home=/usr/doc/, shell=/bin/bash Feb 5 09:29:48 narnia PAM_pwdb[15055]: new password not acceptable Feb 5 09:30:06 narnia sshd[15046]: Could not reverse map address 194.105.21.48. Feb 5 09:30:06 narnia sshd[15046]: User telnet not allowed because not listed in AllowUsers Feb 5 09:30:06 narnia sshd[15046]: input_userauth_request: illegal user telnet Feb 5 09:30:06 narnia sshd[15046]: Failed none for illegal user telnet from 194.105.21.48 port 1073 ssh2 Feb 5 09:30:07 narnia sshd[15046]: Failed keyboard-interactive for illegal user telnet from 194.105.21.48 port 1073 ssh 2 Feb 5 09:30:12 narnia sshd[15046]: Failed password for illegal user telnet from 194.105.21.48 port 1073 ssh2 Feb 5 09:30:13 narnia sshd[15046]: Failed none for illegal user telnet from 194.105.21.48 port 1073 ssh2 Feb 5 09:30:14 narnia sshd[15046]: Failed keyboard-interactive for illegal user telnet from 194.105.21.48 port 1073 ssh 2 Feb 5 09:30:19 narnia sshd[15046]: Connection closed by 194.105.21.48 Feb 5 09:32:19 narnia PAM_pwdb[15069]: password for (telnet/0) changed by ((null)/0) Feb 5 09:32:43 narnia adduser[15070]: new user: name=bash, uid=0, gid=0, home=/usr/doc/, shell=/bin/bash Feb 5 09:33:16 narnia PAM_pwdb[15071]: password for (bash/0) changed by ((null)/0) Feb 5 09:33:46 narnia sshd[15073]: User bash not allowed because not listed in AllowUsers Feb 5 09:33:46 narnia sshd[15073]: input_userauth_request: illegal user bash Feb 5 09:33:46 narnia sshd[15073]: Failed none for illegal user bash from 127.0.0.1 port 33853 ssh2 Feb 5 09:33:46 narnia sshd[15073]: Failed keyboard-interactive for illegal user bash from 127.0.0.1 port 33853 ssh2 Feb 5 09:35:55 narnia sshd[15073]: Failed password for illegal user bash from 127.0.0.1 port 33853 ssh2 Feb 5 09:36:24 narnia sshd[15073]: Failed password for illegal user bash from 127.0.0.1 port 33853 ssh2
On Thu, Feb 13, 2003 at 02:36:27AM +0200, Kimmo Hovi wrote:> Hello. Recently I discovered some kind of exploit of openssh used against > me. For configuration info, I am using Mandrake 8.2 with the openssh > package openssh-3.1p1-1mdk.> Feb 5 09:29:09 narnia adduser[15054]: new user: name=telnet, uid=0, > gid=0, home=/usr/doc/, shell=/bin/bash > Feb 5 09:29:48 narnia PAM_pwdb[15055]: new password not acceptable > Feb 5 09:30:06 narnia sshd[15046]: Could not reverse map address > 194.105.21.48. > Feb 5 09:30:06 narnia sshd[15046]: User telnet not allowed because not > listed in AllowUsersI don't see how this is at all related to openssh having some kind of exploit. Someone locally added a user named 'telnet' and then tried to ssh as that user. Your machine is already compromised, it seems, in a way that only allows creation of new users, maybe? /fc
Um.. your using openssh 3.1. That's been known to be vulnerable and has known exploits. You've been cracked buddy... -James Kimmo Hovi wrote:> Hello. Recently I discovered some kind of exploit of openssh used against > me. For configuration info, I am using Mandrake 8.2 with the openssh > package openssh-3.1p1-1mdk. > > Fortunately, I was at least somewhat security-aware, and have an > AllowUsers parameter in my sshd config file. I Used to allow only public > key logins, but ditched that when I found myself needing access from > multiple places. I was behind my provider's firewall until recently, when > I decided to allow connections from the net (To host my own web site), so > this might be an old one (And I'd guess, since I first opened up the > firewall on Feb 4 2003. > > Anyway, The services I have (that is, had) running, are httpd (httpd and > httpd-perl in mandrake), sshd, and xdm. (All default mandrake, no source > builds). The following is a log snippet. What's going on?: > > ps, I am _NOT_ reading this list, so please cc: all replies to me. Thanks > > Feb 5 09:29:09 narnia adduser[15054]: new user: name=telnet, uid=0, > gid=0, home=/usr/doc/, shell=/bin/bash > Feb 5 09:29:48 narnia PAM_pwdb[15055]: new password not acceptable > Feb 5 09:30:06 narnia sshd[15046]: Could not reverse map address > 194.105.21.48. > Feb 5 09:30:06 narnia sshd[15046]: User telnet not allowed because not > listed in AllowUsers > Feb 5 09:30:06 narnia sshd[15046]: input_userauth_request: illegal user > telnet > Feb 5 09:30:06 narnia sshd[15046]: Failed none for illegal user telnet > from 194.105.21.48 port 1073 ssh2 > Feb 5 09:30:07 narnia sshd[15046]: Failed keyboard-interactive for > illegal user telnet from 194.105.21.48 port 1073 ssh > 2 > Feb 5 09:30:12 narnia sshd[15046]: Failed password for illegal user > telnet from 194.105.21.48 port 1073 ssh2 > Feb 5 09:30:13 narnia sshd[15046]: Failed none for illegal user telnet > from 194.105.21.48 port 1073 ssh2 > Feb 5 09:30:14 narnia sshd[15046]: Failed keyboard-interactive for > illegal user telnet from 194.105.21.48 port 1073 ssh > 2 > Feb 5 09:30:19 narnia sshd[15046]: Connection closed by 194.105.21.48 > Feb 5 09:32:19 narnia PAM_pwdb[15069]: password for (telnet/0) changed by > ((null)/0) > Feb 5 09:32:43 narnia adduser[15070]: new user: name=bash, uid=0, gid=0, > home=/usr/doc/, shell=/bin/bash > Feb 5 09:33:16 narnia PAM_pwdb[15071]: password for (bash/0) changed by > ((null)/0) > Feb 5 09:33:46 narnia sshd[15073]: User bash not allowed because not > listed in AllowUsers > Feb 5 09:33:46 narnia sshd[15073]: input_userauth_request: illegal user > bash > Feb 5 09:33:46 narnia sshd[15073]: Failed none for illegal user bash from > 127.0.0.1 port 33853 ssh2 > Feb 5 09:33:46 narnia sshd[15073]: Failed keyboard-interactive for > illegal user bash from 127.0.0.1 port 33853 ssh2 > Feb 5 09:35:55 narnia sshd[15073]: Failed password for illegal user bash > from 127.0.0.1 port 33853 ssh2 > Feb 5 09:36:24 narnia sshd[15073]: Failed password for illegal user bash > from 127.0.0.1 port 33853 ssh2 > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >-- James Dennis Harvard Law School "Not everything that counts can be counted, and not everything that can be counted counts."