[FoRK] new sshd hole (fwd)

jm at jmason.org jm at jmason.org
Wed Aug 4 09:54:09 PDT 2004

Hash: SHA1

FYI -- it looks like a new sshd exploit is out and about -- there's
been another report in addition to this one.   No sign yet on 
bugtraq, /., etc., but keep an eye on any UNIX servers ;)

- --j.

- ------- Forwarded Message
> Date:    Wed, 04 Aug 2004 15:09:15 +0100
> From:    Eoin Ryan <eoin.ryan at ul.ie>
> To:      ilug at linux.ie
> Subject: [ILUG] Debian Woody ssh hack
> Hi all,
> There appears to be a new exploit of sshd on Debian Woody.  Ssh version:
> SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
> At the weekend 2 Debian Woody systems under my control were hacked with
> this exploit, which lead to other, non related hacks in the University.
> The hacker seemed rather messy and left a lot of tell tale signs behind
> that the system was broken into, despite making efforts to patch various
> system binaries, as well as patching sshd itself.  Check your
> /var/log/auth.log for login attempts to either of the following user
> names: test, admin.   Part of the procedure seems to be to add one of
> the before mentioned usernames to the system, including /home
> directories, so that would seem to be the easiest way of telling if
> you've been broken into.
> Piecing together from a few recent mails found online as well as the
> evidence left behind in logs, it seems that preceding the attack the
> hacker will scan target machines and try logging into the daemon with
> test/admin.  If the box has already been hacked and ssh patched then
> premumably they will get immediate access, if not they will launch their
> attack.
> The logs reveal a lot of downloaded tools from various websites around
> the world.  Some are DDOS tools, others r00t kits etc.  Perhaps the
> strangest download though was an iso.tmp file from ftp.esat.net, which
> perhaps ties in with wierd behaviour that I noticed on that file server
> over the weekend.  The command was:
> wget http://ftp.esat.net/pub/linux/debian-cd/3.0_r2/source/debian-update-3.0r2.
> 01-src.iso.tmp
> I didn't actually see anything in the logs that the hacker might have
> been doing with this file, but at the moment it is still available on
> esat.net.
> Be very carefull about messing with any tools left behind by the hacker.
> The file, go.sh (ssh exploit), which I found a URL to in my history, seems to b
> e
> boobie trapped as immediately after running it my system died a sudden
> and horrific death.  A re-install worked, but it's a perfect example 
> of curiosity killing the cat.
> Hope this is usefull,
> Eoin.
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS


More information about the FoRK mailing list