Hi Guys,

My Debian box has been hacked a few days ago using an OpenSSH
vulnerability. Subsequently my box was used for sending spam and as a
hacking platform (according to my ISP).

I was running a fairly recent version of OpenSSH (3.9p1). I reinstalled
my box (now with 3.8p1 as supplied by Debian Stable), and started
tcpdump to see if I would get lucky. I DID!

The aut.log file shows the following:
Nov 4 06:25:01 localhost su[5715]: + ??? root:nobody
Nov 4 06:25:01 localhost su[5715]: (pam_unix) session opened for user
nobody by
(uid=0)

In the auth.log from my hacked box, I also had these lines. However, I
could not correlate them to TCP messages, so they didn't help me. Now, I
do have a full tcp dump ;-)

In the dump file, I found three simple messages that did the job:

First: A SYN request to the ssh port

0000 00 01 80 57 16 3d 00 90 d0 af 86 eb 08 00 45 00 ...W.=.. ......E.
0010 00 30 3c 2d 00 00 74 06 1b fd d2 f0 11 2c 0a 00 .0<-..t. .....,..
0020 00 82 d6 d3 00 16 7e c1 e4 5f 75 72 0c 80 70 02 ......~. ._ur..p.
0030 ff ff d8 83 00 00 02 04 05 b4 01 01 04 02 ........ ......

Next the reply from my box (SYN ACK):
0000 00 90 d0 af 86 eb 00 01 80 57 16 3d 08 00 45 00 ........ .W.=..E.
0010 00 30 00 00 40 00 40 06 4c 2a 0a 00 00 82 d2 f0 .0..@.@. L*......
0020 11 2c 00 16 d6 d3 55 c4 46 41 7e c1 e4 60 70 12 .,....U. FA~..`p.
0030 16 d0 a7 8f 00 00 02 04 05 b4 01 01 04 02 ........ ......

An then the killer. A RST message. The weird ACK (2856040895 according
to ethereal) seems to be the culprit:
0000 00 01 80 57 16 3d 00 90 d0 af 86 eb 08 00 45 00 ...W.=.. ......E.
0010 00 28 a3 31 40 00 34 06 b5 00 d2 f0 11 2c 0a 00 .(.1@.4. .....,..
0020 00 82 d6 d3 00 16 7e c1 e4 60 00 00 00 00 50 04 ......~. .`....P.
0030 00 00 87 36 00 00 00 00 00 00 00 00 ...6.... ....

I don't have a clue how this could cause a session for nobody to be
started, I hope this is useful information for you to nail this thing.
Or perhaps you have already nailed it, but I didn't find any information
on this vulnerability in Google. If you need more information, please
let me know.

Good luck,
Evert

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev