[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] RaQ2 Hacked - sshd vulnerability?

> Hi All,
>
> I have a raq2 that was hacked last night, probably because I was still
> running OpenSSH Release 2.9p2. ( no excuses here but the package from
> Cobalt to upgrade to 3.0.2p1 wouldn't install properly and my newbie-ish
> level of admin paranoia kept me from doing it from source ). Even
> so, SSH1
> was disabled..(completely removed from the config line, leaving 2
> only) and
> root login was set to "no".
>
> The intruder didn't seem to do much, or even attempt to hide his
> tracks...but he installed ettercap in root's home directory and set the
> network card into promiscuous mode.
>
> My colo's security guy seemed adamant that it was the telnet
> vulnerability,
> but I've had telnet turned off via the GUI for nearly a year. The logs
> showed this:
>
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Jan  6 01:43:32 ****** sshd[31743]: Accepted password for ROOT from
> 64.224.118.113 port 2756 ssh2
> Jan  6 01:43:53 ****** sshd[31763]: Failed password for ROOT from
> 127.0.0.1
> port 8244 ssh2
> Jan  6 01:43:58 ****** sshd[31763]: Accepted password for ROOT from
> 127.0.0.1 port 8244 ssh2
> Jan  6 01:53:17 ****** kernel: eth0: Promiscuous mode enabled.
> Jan  6 01:53:17 ****** kernel: eth0: Promiscuous mode enabled.
>
> So, can anyone give me any info on what type of exploit causes a ROOT
> login....(the ROOT in uppercase is my curiosity because it would
> seem to be
> a separate user from root in lowercase...is this so?) And, did
> this person
> really use a password at all, or was there some kind of buffer overflow
> that just generated the shell?
>
> This machine was not doing anything functional...no hosting anyway. I use
> it to play around and test stuff so I don't break my real working
> machine.
> I've shut it down and my intention is to bring it home and hook
> it up so I
> can "play" with it some more and see what else might have been done. Any
> suggestions on where and what to look for would be greatly appreciated.
> Thank goodness for logcheck...:)
>
> I also bit the bullet and upgraded the working machine by hand since the
> package wouldn't install into it either. I had to upgrade the openssl
> before the latest openssh would install. Funny thing is, I have a third
> RaQ2 machine that took Cobalt's package just fine from the beginning, but
> that still means two out of my three RaQ2s wouldn't accept the Cobalt
> package. Has this been a problem for other RaQ2 owners?
>
> Thanks all,
> Diana
> Crest Communications, Inc.		diana@xxxxxxxxxxxxx
> Beautiful Sunny Florida		http://crestcommunications.com/
> 352-495-9359, 425-732-9785 fax
>

To all,

I'm not sure about the OpenSSH Release 2.9p2.vulnerability
since  I've already upgraded to 3.0.2p1, but the source ip address of the
intruder
is very interesting.
==========================================
64.224.118.113

isp = Interland
netblock1 = 64.224.0.0
netblock2 = 64.227.63.255

isp = Interliant
netblock1 = 209.235.0.0
netblock2 = 209.235.127.255
=========================================

I've had a lot of SSH2 login attempts from ipaddress that resolve back to
InterLand and Iterliant. I can't believe that someone would be that stupid
by
using their own server to hack into other servers. It would seem that the
login attempts are from a worm on the hacking server. Or the servers have
been
hacked into themselves and are being manipulated remotely. Like the server
that was
hacked into by the two Russians who stole 50,000 credit cards who then went
on to
use the stolen credit cards at PayPal. I've found that most of the real SSH2
login attempts resolve back to China, Thailand, Taiwan, Indonesia and other
Asian countries
where the hacker feels safe from any real retaliation.

So do we have that many stupid hackers now? Or SSH worms? Or real hackers
like
the two Russians?

Sim