On Fri, 04 Nov 2005 11:54:14 +0100
Evert van de Waal wrote:

> Hi Guys,
>
> My Debian box has been hacked a few days ago using an OpenSSH
> vulnerability. Subsequently my box was used for sending spam and as a
> hacking platform (according to my ISP).


How do you know it was an OpenSSH vulnerability? You have provided no
evidence for this theory, indeed quite the opposite.

> The aut.log file shows the following:
> Nov 4 06:25:01 localhost su[5715]: + ??? root:nobody
> Nov 4 06:25:01 localhost su[5715]: (pam_unix) session opened for user
> nobody by
> (uid=0)


OpenSSH doesn't use uid nobody for anything. So, unless you had a bad
password set for your nobody account or you broke your PAM
configuration in some way, it probably wasn't OpenSSH that was used to
break in to your system. Since you didn't actually post any logs of a
break-in (just a later privilege escalation), it is impossible to tell.

> In the auth.log from my hacked box, I also had these lines. However, I
> could not correlate them to TCP messages, so they didn't help me. Now, I
> do have a full tcp dump ;-)


What you posted isn't a tcpdump, it is just a hex packet dump. Have
you gone out of your way to make it hard to read your packet trace? Even
snoop output would have been easier...

> In the dump file, I found three simple messages that did the job:
>
> First: A SYN request to the ssh port
>
> 0000 00 01 80 57 16 3d 00 90 d0 af 86 eb 08 00 45 00 ...W.=.. ......E.
> 0010 00 30 3c 2d 00 00 74 06 1b fd d2 f0 11 2c 0a 00 .0<-..t. .....,..
> 0020 00 82 d6 d3 00 16 7e c1 e4 5f 75 72 0c 80 70 02 ......~. ._ur..p.
> 0030 ff ff d8 83 00 00 02 04 05 b4 01 01 04 02 ........ ......
>
> Next the reply from my box (SYN ACK):
> 0000 00 90 d0 af 86 eb 00 01 80 57 16 3d 08 00 45 00 ........ .W.=..E.
> 0010 00 30 00 00 40 00 40 06 4c 2a 0a 00 00 82 d2 f0 .0..@.@. L*......
> 0020 11 2c 00 16 d6 d3 55 c4 46 41 7e c1 e4 60 70 12 .,....U. FA~..`p.
> 0030 16 d0 a7 8f 00 00 02 04 05 b4 01 01 04 02 ........ ......
>
> An then the killer. A RST message. The weird ACK (2856040895 according
> to ethereal) seems to be the culprit:
> 0000 00 01 80 57 16 3d 00 90 d0 af 86 eb 08 00 45 00 ...W.=.. ......E.
> 0010 00 28 a3 31 40 00 34 06 b5 00 d2 f0 11 2c 0a 00 .(.1@.4. .....,..
> 0020 00 82 d6 d3 00 16 7e c1 e4 60 00 00 00 00 50 04 ......~. .`....P.
> 0030 00 00 87 36 00 00 00 00 00 00 00 00 ...6.... ....


This is not an attack on OpenSSH, it looks like a type of stealth
portscan that completes enough of the 3-way handshake to avoid synproxy
devices but not enough to activate daemons (thereby leaving spoor in
the logs). Someone more interested could probably match it back to one
of nmap's modes.

BTW ethereal reported the wrong ack sequence number (or you transposed
it wrong).

-d

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
http://www.mindrot.org/mailman/listi...enssh-unix-dev