[ILUG] Debian Woody ssh hack

Justin Mason jm at jmason.org
Wed Aug 4 17:56:26 IST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Scary stuff.  Right after defcon, too ;)

Have you got any other dropping files from the exploit? that .tmp is gone
from ftp.esat.net.

- --j.

Eoin Ryan writes:
> Hi all,
> 
> There appears to be a new exploit of sshd on Debian Woody.  Ssh version:
> SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
> 
> At the weekend 2 Debian Woody systems under my control were hacked with
> this exploit, which lead to other, non related hacks in the University.
> 
> The hacker seemed rather messy and left a lot of tell tale signs behind
> that the system was broken into, despite making efforts to patch various
> system binaries, as well as patching sshd itself.  Check your
> /var/log/auth.log for login attempts to either of the following user
> names: test, admin.   Part of the procedure seems to be to add one of
> the before mentioned usernames to the system, including /home
> directories, so that would seem to be the easiest way of telling if
> you've been broken into.
> 
> Piecing together from a few recent mails found online as well as the
> evidence left behind in logs, it seems that preceding the attack the
> hacker will scan target machines and try logging into the daemon with
> test/admin.  If the box has already been hacked and ssh patched then
> premumably they will get immediate access, if not they will launch their
> attack.
> 
> The logs reveal a lot of downloaded tools from various websites around
> the world.  Some are DDOS tools, others r00t kits etc.  Perhaps the
> strangest download though was an iso.tmp file from ftp.esat.net, which
> perhaps ties in with wierd behaviour that I noticed on that file server
> over the weekend.  The command was:
> 
> wget http://ftp.esat.net/pub/linux/debian-cd/3.0_r2/source/debian-update-3.0r2.01-src.iso.tmp
> 
> I didn't actually see anything in the logs that the hacker might have
> been doing with this file, but at the moment it is still available on
> esat.net.
> 
> WARNING:
> Be very carefull about messing with any tools left behind by the hacker.
> The file, go.sh (ssh exploit), which I found a URL to in my history, seems to be
> boobie trapped as immediately after running it my system died a sudden
> and horrific death.  A re-install worked, but it's a perfect example 
> of curiosity killing the cat.
> 
> Hope this is usefull,
> Eoin.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD4DBQFBERU6QTcbUG5Y7woRAoryAKDfSGJiaAiIfeFAyiUwM4LbcK5QdQCYxMbh
w4QJOyyFqMDeGmo2OLTFxQ==
=/2NC
-----END PGP SIGNATURE-----

More information about the ILUG mailing list