[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] SSH EXPLOIT IN THE WILD

Subject: Re: [cobalt-users] SSH EXPLOIT IN THE WILD
From: Larry Smith <lesmith@xxxxxxxxx>
Date: Thu Sep 18 04:53:04 2003
Organization: ECSIS
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

On Thursday 18 September 2003 05:28, Mark S Burgunder wrote:
> On 9/16/03 2:42 PM, "Paul Warner" wrote:
> > SSHD : 68.47.255.231, 216.40.243.26 : spawn (/bin/echo -e "logs\: \n TCP
> > Wrappers\: Connection Alert\nBy\:            $(uname -n)\ndate\:
> > $(date)\nhostip\:                %a\nhostname\:      %h\nprocess\:
> > %d
> > (pid %p)\nconnectfrom\:   %c\nsource\:        %h %H\nport\:
> > %d\n"|
> > /bin/mail -s "Wrappers@$(uname -n)\: %d Connection Alert %c" root ) &
> >
> > Does that make me paranoid?
>
> This is great. I have put it in my hosts.allow file as well.
> I have played around a bit with the IP addresses and read he man pages for
> hosts.allow but could not figure out how I would change the above 'line'
> so that it always get's executed, no matter what ip address the SSH
> connection originates from.
>
> Has anyone an idea what I should put in the ip-address spot to avtivate
> this rule always?
>
> Cheers
> Mark S Burgunder
>

Or you could install the following script in /usr/local/etc/secnotes, make it 
executable, (chmod 750 /usr/local/etc/secnotes) then change your hosts.allow 
and/or hosts.deny lines to:

sshd: ALL : spawn /usr/local/etc/secnotes "%a+%A+%c+%d+%h+%H+%s+%u" &

If put in hosts.allow, it will send an email for every SSH connection 
"allowed", if put in hosts.deny it will send an email for every connection 
denied.  Can also be used for ftp, telnet and any other process that you want 
to monitor by simply chaning the line above to the correct process in 
hosts.allow or deny.  Keeps the hosts files a bit "cleaner" (no wrapped lines 
to worry about), and works for any process that uses wrappers.  This one 
sends mail to root, but you can change that to any account that the box can 
"send" to.  Recommend (for security) that you send to an account that is 
"not" on the particular box you are monitoring if possible since if the box 
is hacked they will probably catch the script pretty quick and "remove" their 
tracks (eg the emails) where-as if they are on a different box/location you 
still have something in hand.

####  CUT HERE ##########
#!/bin/sh
#
# Security Notes SHELL
###############################################################
#sshd: ALL : spawn /usr/local/etc/secnotes "%a+%A+%c+%d+%h+%H+%s+%u" & : DENY
#
DT1=`date`
TMP="${1}"              ## Save input
LHOST=`uname -n`        ## Get local name
## Now set input as argument list
set -- `echo ${1} | tr -s "+" " "`
## Now send message based on input args...
cat << !EOF! | /bin/mail -s "Wrappers: $1 $LHOST == $7" root > /dev/null 2>&1

        SECURITY NOTES - ATTEMPTED CONNECTION
        DATE: $DT1

        PORT: $4
        SERVER: ($7)
        CONNECTION: ($3)
        ON: $6:$2
        BY: $5:$1
        as USER: $8

!EOF!

exit
#####  CUT HERE ###########

Enjoy....

-- 
Larry Smith
SysAd ECSIS.NET
sysad@xxxxxxxxx

Follow-Ups:
- Re: [cobalt-users] SSH EXPLOIT IN THE WILD
  - From: Frank Svoboda
- RE: [cobalt-users] SSH EXPLOIT IN THE WILD
  - From: Dan Kriwitsky
- RE: [cobalt-users] SSH EXPLOIT IN THE WILD
  - From: Chris

References:
- Re: [cobalt-users] SSH EXPLOIT IN THE WILD
  - From: Paul Warner
- Re: [cobalt-users] SSH EXPLOIT IN THE WILD
  - From: Dave's List Addy
- Re: [cobalt-users] SSH EXPLOIT IN THE WILD
  - From: Mark S Burgunder

Prev by Date: RE: [cobalt-users] Update: Mailing Lists not working after updates
Next by Date: RE: [cobalt-users] Update: Mailing Lists not working after updates
Previous by thread: Re: [cobalt-users] SSH EXPLOIT IN THE WILD
Next by thread: Re: [cobalt-users] SSH EXPLOIT IN THE WILD

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index