openssh 2.9p2 release 8.7 security alert!!!

Pin Lu pin at stredo.com
Thu Nov 29 18:07:24 EST 2001


Hi, everyone:

My system was compromised a few days ago.
The cracker attacked the system through openssh 2.9p2 release 8.7.
I attached part of the log file.


Thanks.

Pin Lu (pin at stredo.com)


Nov 25 11:33:05 ns sshd[10627]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:33:36 ns named[10478]: Lame server on '55.254.58.211.in-addr.arpa'
(in '254.58.211.in-addr.arpa'?): [210.180.98.69].53 'ns2.hananet.net'
Nov 25 11:33:36 ns named[10478]: Lame server on '55.254.58.211.in-addr.arpa'
(in '254.58.211.in-addr.arpa'?): [210.94.0.7].53 'ns.hananet.net'
Nov 25 11:33:36 ns named[10478]: ns_forw: query(55.254.58.211.in-addr.arpa)
All possible A RR's lame
Nov 25 11:33:45 ns sshd[10689]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:33:45 ns sshd[10690]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:33:46 ns sshd[10691]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:33:46 ns sshd[10692]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:33:47 ns sshd[10693]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:33:48 ns sshd[10694]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:33:49 ns sshd[10696]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:33:50 ns sshd[10698]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:33:50 ns sshd[10700]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:33:51 ns sshd[10701]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:33:51 ns sshd[10702]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:33:52 ns sshd[10703]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:33:59 ns sshd[10714]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:34:00 ns sshd[10715]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:34:01 ns sshd[10716]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:34:02 ns sshd[10717]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:34:02 ns sshd[10718]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:34:03 ns sshd[10719]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:34:03 ns sshd[10720]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:34:05 ns sshd[10722]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:34:05 ns sshd[10723]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:34:06 ns sshd[10724]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:34:06 ns sshd[10725]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:34:07 ns sshd[10726]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:34:08 ns sshd[10727]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:34:08 ns sshd[10728]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:34:40 ns sshd[10771]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:35:21 ns sshd[10832]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:21 ns sshd[10833]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:22 ns sshd[10834]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:22 ns sshd[10835]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:23 ns sshd[10836]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:24 ns sshd[10837]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:24 ns sshd[10838]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:25 ns sshd[10840]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:26 ns sshd[10841]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:27 ns sshd[10842]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:34 ns sshd[10854]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:35:35 ns sshd[10855]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:35:36 ns sshd[10856]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:35:36 ns sshd[10857]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:37 ns sshd[10858]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:37 ns sshd[10859]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:38 ns sshd[10860]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:45 ns sshd[10871]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:35:46 ns sshd[10872]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:46 ns sshd[10873]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:47 ns sshd[10874]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:48 ns sshd[10875]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:48 ns sshd[10876]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:49 ns sshd[10877]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:50 ns sshd[10878]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:50 ns sshd[10879]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:51 ns sshd[10881]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:35:52 ns sshd[10882]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:53 ns sshd[10883]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:53 ns sshd[10884]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:35:54 ns sshd[10885]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:36:25 ns named[10478]: denied update from [24.184.45.120].3015 for
"echasqui.com"
Nov 25 11:36:49 ns sshd[10914]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:37:28 ns sshd[10975]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:29 ns sshd[10976]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:30 ns sshd[10977]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:30 ns sshd[10978]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:31 ns sshd[10979]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:32 ns sshd[10980]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:32 ns sshd[10981]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:33 ns sshd[10982]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:33 ns sshd[10983]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:35 ns sshd[10985]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:35 ns sshd[10986]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:36 ns sshd[10987]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:37 ns sshd[10988]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:37 ns sshd[10989]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:38 ns sshd[10990]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:38 ns sshd[10991]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:39 ns sshd[10992]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:40 ns sshd[10993]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:40 ns sshd[10994]: Disconnecting: crc32 compensation attack:
network attack detected
Nov 25 11:37:48 ns sshd[11006]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:37:53 ns sshd[11013]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:37:54 ns sshd[11014]: Disconnecting: Corrupted check bytes on
input.
Nov 25 11:40:00 ns CROND[11022]: (root) CMD (   /sbin/rmmod -as)
Nov 25 11:40:08 ns adduser[11023]: new group: name=mattanl, gid=528
Nov 25 11:40:08 ns adduser[11023]: new user: name=mattanl, uid=528, gid=528,
home=/home/mattanl, shell=/bin/bash
Nov 25 11:40:27 ns adduser[11027]: new group: name=mattan, gid=529
Nov 25 11:40:27 ns adduser[11027]: new user: name=mattan, uid=0, gid=529,
home=/home/mattan, shell=/bin/bash
Nov 25 11:40:52 ns PAM_unix[11032]: (system-auth) session opened for user
mattanl by (uid=0)
Nov 25 11:40:52 ns  -- mattanl[11032]: LOGIN ON pts/1 BY mattanl FROM
PT712079.bezeqint.net
Nov 25 11:41:49 ns PAM_unix[11054]: (system-auth) session opened for user
mattan by mattanl(uid=528)
Nov 25 11:43:08 ns sshd[577]: Generating new 768 bit RSA key.
Nov 25 11:43:08 ns sshd[577]: RSA key generation complete.
Nov 25 11:44:09 ns PAM_unix[11054]: (system-auth) session closed for user
mattan
Nov 25 11:44:10 ns modprobe: modprobe: Can't locate module binfmt-0000
Nov 25 11:44:10 ns modprobe: modprobe: Can't locate module binfmt-0000
Nov 25 11:44:10 ns in.telnetd: PT712079.bezeqint.net
[14364]: /bin/login: Exec format error
Nov 25 11:45:01 ns PAM_unix[14367]: authentication failure; (uid=0) ->
mattanl for system-auth service
Nov 25 11:45:07 ns named[10478]: Lame server on '55.254.58.211.in-addr.arpa'
(in '254.58.211.in-addr.arpa'?): [210.94.0.7].53 'ns.hananet.net'
Nov 25 11:45:07 ns named[10478]: Lame server on '55.254.58.211.in-addr.arpa'
(in '254.58.211.in-addr.arpa'?): [210.180.98.69].53 'ns2.hananet.net'
Nov 25 11:45:07 ns named[10478]: ns_forw: query(55.254.58.211.in-addr.arpa)
All possible A RR's lame
Nov 25 11:45:07 ns sshd[14367]: Could not reverse map address 211.58.254.55.
Nov 25 11:45:07 ns sshd[14367]: Accepted password for mattanl from
211.58.254.55 port 1023 ssh2
Nov 25 11:45:08 ns PAM_unix[14367]: (system-auth) session opened for user
mattanl by (uid=0)
Nov 25 11:46:19 ns PAM_unix[14384]: (system-auth) session opened for user
mattan by mattanl(uid=528)
Nov 25 11:47:06 ns PAM_unix[14367]: (system-auth) session closed for user
mattanl
Nov 25 11:47:07 ns PAM_unix[14384]: (system-auth) session closed for user
mattan





More information about the openssh-unix-dev mailing list