[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] RaQ2 Hacked - sshd vulnerability?
- Subject: [cobalt-users] RaQ2 Hacked - sshd vulnerability?
- From: Diana Brake <diana@xxxxxxxxxxxxx>
- Date: Sun Jan 6 16:13:01 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi All,
I have a raq2 that was hacked last night, probably because I was still
running OpenSSH Release 2.9p2. ( no excuses here but the package from
Cobalt to upgrade to 3.0.2p1 wouldn't install properly and my newbie-ish
level of admin paranoia kept me from doing it from source ). Even so, SSH1
was disabled..(completely removed from the config line, leaving 2 only) and
root login was set to "no".
The intruder didn't seem to do much, or even attempt to hide his
tracks...but he installed ettercap in root's home directory and set the
network card into promiscuous mode.
My colo's security guy seemed adamant that it was the telnet vulnerability,
but I've had telnet turned off via the GUI for nearly a year. The logs
showed this:
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jan 6 01:43:32 ****** sshd[31743]: Accepted password for ROOT from
64.224.118.113 port 2756 ssh2
Jan 6 01:43:53 ****** sshd[31763]: Failed password for ROOT from 127.0.0.1
port 8244 ssh2
Jan 6 01:43:58 ****** sshd[31763]: Accepted password for ROOT from
127.0.0.1 port 8244 ssh2
Jan 6 01:53:17 ****** kernel: eth0: Promiscuous mode enabled.
Jan 6 01:53:17 ****** kernel: eth0: Promiscuous mode enabled.
So, can anyone give me any info on what type of exploit causes a ROOT
login....(the ROOT in uppercase is my curiosity because it would seem to be
a separate user from root in lowercase...is this so?) And, did this person
really use a password at all, or was there some kind of buffer overflow
that just generated the shell?
This machine was not doing anything functional...no hosting anyway. I use
it to play around and test stuff so I don't break my real working machine.
I've shut it down and my intention is to bring it home and hook it up so I
can "play" with it some more and see what else might have been done. Any
suggestions on where and what to look for would be greatly appreciated.
Thank goodness for logcheck...:)
I also bit the bullet and upgraded the working machine by hand since the
package wouldn't install into it either. I had to upgrade the openssl
before the latest openssh would install. Funny thing is, I have a third
RaQ2 machine that took Cobalt's package just fine from the beginning, but
that still means two out of my three RaQ2s wouldn't accept the Cobalt
package. Has this been a problem for other RaQ2 owners?
Thanks all,
Diana
Crest Communications, Inc. diana@xxxxxxxxxxxxx
Beautiful Sunny Florida http://crestcommunications.com/
352-495-9359, 425-732-9785 fax