LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Debian Woody ssh hack

[ILUG] Debian Woody ssh hack

Eoin Ryan eoin.ryan at ul.ie
Wed Aug 4 15:09:15 IST 2004 

Hi all,

There appears to be a new exploit of sshd on Debian Woody.  Ssh version:
SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3

At the weekend 2 Debian Woody systems under my control were hacked with
this exploit, which lead to other, non related hacks in the University.

The hacker seemed rather messy and left a lot of tell tale signs behind
that the system was broken into, despite making efforts to patch various
system binaries, as well as patching sshd itself.  Check your
/var/log/auth.log for login attempts to either of the following user
names: test, admin.   Part of the procedure seems to be to add one of
the before mentioned usernames to the system, including /home
directories, so that would seem to be the easiest way of telling if
you've been broken into.

Piecing together from a few recent mails found online as well as the
evidence left behind in logs, it seems that preceding the attack the
hacker will scan target machines and try logging into the daemon with
test/admin.  If the box has already been hacked and ssh patched then
premumably they will get immediate access, if not they will launch their
attack.

The logs reveal a lot of downloaded tools from various websites around
the world.  Some are DDOS tools, others r00t kits etc.  Perhaps the
strangest download though was an iso.tmp file from ftp.esat.net, which
perhaps ties in with wierd behaviour that I noticed on that file server
over the weekend.  The command was:

wget http://ftp.esat.net/pub/linux/debian-cd/3.0_r2/source/debian-update-3.0r2.01-src.iso.tmp

I didn't actually see anything in the logs that the hacker might have
been doing with this file, but at the moment it is still available on
esat.net.

WARNING:
Be very carefull about messing with any tools left behind by the hacker.
The file, go.sh (ssh exploit), which I found a URL to in my history, seems to be
boobie trapped as immediately after running it my system died a sudden
and horrific death.  A re-install worked, but it's a perfect example 
of curiosity killing the cat.

Hope this is usefull,
Eoin.

-- 
When you work here, you can name your own salary. I named mine, "Louie".
-
Eoin Ryan					eoin.ryan at ul.ie
Biocomputing-Developmental Systems Group (BDS)  http://bds.ul.ie
CSG-028, University of Limerick, Ireland	Phone: +353 61 202596
------------------------------------------------------------------------

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell