Hi Guys, My Debian box has been hacked a few days ago using an OpenSSH vulnerability. Subsequently my box was used for sending spam and as a hacking platform (according to my ISP). I was running a fairly recent version of OpenSSH (3.9p1). I reinstalled my box (now with 3.8p1 as supplied by Debian Stable), and started tcpdump to see if I would get lucky. I DID! The aut.log file shows the following: Nov 4 06:25:01 localhost su[5715]: + ??? root:nobody Nov 4 06:25:01 localhost su[5715]: (pam_unix) session opened for user nobody by (uid=0) In the auth.log from my hacked box, I also had these lines. However, I could not correlate them to TCP messages, so they didn't help me. Now, I do have a full tcp dump ;-) In the dump file, I found three simple messages that did the job: First: A SYN request to the ssh port 0000 00 01 80 57 16 3d 00 90 d0 af 86 eb 08 00 45 00 ...W.=.. ......E. 0010 00 30 3c 2d 00 00 74 06 1b fd d2 f0 11 2c 0a 00 .0<-..t. .....,.. 0020 00 82 d6 d3 00 16 7e c1 e4 5f 75 72 0c 80 70 02 ......~. ._ur..p. 0030 ff ff d8 83 00 00 02 04 05 b4 01 01 04 02 ........ ...... Next the reply from my box (SYN ACK): 0000 00 90 d0 af 86 eb 00 01 80 57 16 3d 08 00 45 00 ........ .W.=..E. 0010 00 30 00 00 40 00 40 06 4c 2a 0a 00 00 82 d2 f0 .0.. at .@. L*...... 0020 11 2c 00 16 d6 d3 55 c4 46 41 7e c1 e4 60 70 12 .,....U. FA~..`p. 0030 16 d0 a7 8f 00 00 02 04 05 b4 01 01 04 02 ........ ...... An then the killer. A RST message. The weird ACK (2856040895 according to ethereal) seems to be the culprit: 0000 00 01 80 57 16 3d 00 90 d0 af 86 eb 08 00 45 00 ...W.=.. ......E. 0010 00 28 a3 31 40 00 34 06 b5 00 d2 f0 11 2c 0a 00 .(.1 at .4. .....,.. 0020 00 82 d6 d3 00 16 7e c1 e4 60 00 00 00 00 50 04 ......~. .`....P. 0030 00 00 87 36 00 00 00 00 00 00 00 00 ...6.... .... I don't have a clue how this could cause a session for nobody to be started, I hope this is useful information for you to nail this thing. Or perhaps you have already nailed it, but I didn't find any information on this vulnerability in Google. If you need more information, please let me know. Good luck, Evert
On Fri, 04 Nov 2005 11:54:14 +0100 Evert van de Waal <evert.vandewaal at imtech.nl> wrote:> Hi Guys, > > My Debian box has been hacked a few days ago using an OpenSSH > vulnerability. Subsequently my box was used for sending spam and as a > hacking platform (according to my ISP).How do you know it was an OpenSSH vulnerability? You have provided no evidence for this theory, indeed quite the opposite.> The aut.log file shows the following: > Nov 4 06:25:01 localhost su[5715]: + ??? root:nobody > Nov 4 06:25:01 localhost su[5715]: (pam_unix) session opened for user > nobody by > (uid=0)OpenSSH doesn't use uid nobody for anything. So, unless you had a bad password set for your nobody account or you broke your PAM configuration in some way, it probably wasn't OpenSSH that was used to break in to your system. Since you didn't actually post any logs of a break-in (just a later privilege escalation), it is impossible to tell.> In the auth.log from my hacked box, I also had these lines. However, I > could not correlate them to TCP messages, so they didn't help me. Now, I > do have a full tcp dump ;-)What you posted isn't a tcpdump, it is just a hex packet dump. Have you gone out of your way to make it hard to read your packet trace? Even snoop output would have been easier...> In the dump file, I found three simple messages that did the job: > > First: A SYN request to the ssh port > > 0000 00 01 80 57 16 3d 00 90 d0 af 86 eb 08 00 45 00 ...W.=.. ......E. > 0010 00 30 3c 2d 00 00 74 06 1b fd d2 f0 11 2c 0a 00 .0<-..t. .....,.. > 0020 00 82 d6 d3 00 16 7e c1 e4 5f 75 72 0c 80 70 02 ......~. ._ur..p. > 0030 ff ff d8 83 00 00 02 04 05 b4 01 01 04 02 ........ ...... > > Next the reply from my box (SYN ACK): > 0000 00 90 d0 af 86 eb 00 01 80 57 16 3d 08 00 45 00 ........ .W.=..E. > 0010 00 30 00 00 40 00 40 06 4c 2a 0a 00 00 82 d2 f0 .0.. at .@. L*...... > 0020 11 2c 00 16 d6 d3 55 c4 46 41 7e c1 e4 60 70 12 .,....U. FA~..`p. > 0030 16 d0 a7 8f 00 00 02 04 05 b4 01 01 04 02 ........ ...... > > An then the killer. A RST message. The weird ACK (2856040895 according > to ethereal) seems to be the culprit: > 0000 00 01 80 57 16 3d 00 90 d0 af 86 eb 08 00 45 00 ...W.=.. ......E. > 0010 00 28 a3 31 40 00 34 06 b5 00 d2 f0 11 2c 0a 00 .(.1 at .4. .....,.. > 0020 00 82 d6 d3 00 16 7e c1 e4 60 00 00 00 00 50 04 ......~. .`....P. > 0030 00 00 87 36 00 00 00 00 00 00 00 00 ...6.... ....This is not an attack on OpenSSH, it looks like a type of stealth portscan that completes enough of the 3-way handshake to avoid synproxy devices but not enough to activate daemons (thereby leaving spoor in the logs). Someone more interested could probably match it back to one of nmap's modes. BTW ethereal reported the wrong ack sequence number (or you transposed it wrong). -d
On Fri, Nov 04, 2005 at 11:54:14AM +0100, Evert van de Waal wrote:> My Debian box has been hacked a few days ago using an OpenSSH > vulnerability. Subsequently my box was used for sending spam and as a > hacking platform (according to my ISP).Why do you think this is an OpenSSH vulnerability? I've only partly decoded the traces but it looks like the ssh connection was being dropped immediately after establishment (such as would be expected if, eg, you are using tcpwrappers). There's no SSH traffic at all, not even the protocol handshake.> I was running a fairly recent version of OpenSSH (3.9p1). I reinstalled > my box (now with 3.8p1 as supplied by Debian Stable), and started > tcpdump to see if I would get lucky. I DID!3.9p1 built from vanilla source? If so, built with what options? If not, where did you get it?> The aut.log file shows the following: > Nov 4 06:25:01 localhost su[5715]: + ??? root:nobody > Nov 4 06:25:01 localhost su[5715]: (pam_unix) session opened for user > nobody by (uid=0)I don't think that's related. It's a su from root to nobody, and there seems to be some job in the base Debian installation that does that at 06:25 (probably the updatedb job). The sshd syslog entries would be more interesting. I suspect they'll say "refused connection from (some IP)". -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.