openssh remote add user exploits?

Kimmo Hovi krhovi at cc.hut.fi
Thu Feb 13 11:36:27 EST 2003 

Hello. Recently I discovered some kind of exploit of openssh used against
me. For configuration info, I am using Mandrake 8.2 with the openssh
package openssh-3.1p1-1mdk.

Fortunately, I was at least somewhat security-aware, and have an
AllowUsers parameter in my sshd config file. I Used to allow only public
key logins, but ditched that when I found myself needing access from
multiple places. I was behind my provider's firewall until recently, when
I decided to allow connections from the net (To host my own web site), so
this might be an old one (And I'd guess, since I first opened up the
firewall on Feb 4 2003.

Anyway, The services I have (that is, had) running, are httpd (httpd and
httpd-perl in mandrake), sshd, and xdm. (All default mandrake, no source
builds). The following is a log snippet. What's going on?:

ps, I am _NOT_ reading this list, so please cc: all replies to me. Thanks

Feb  5 09:29:09 narnia adduser[15054]: new user: name=telnet, uid=0,
gid=0, home=/usr/doc/, shell=/bin/bash
Feb  5 09:29:48 narnia PAM_pwdb[15055]: new password not acceptable
Feb  5 09:30:06 narnia sshd[15046]: Could not reverse map address
194.105.21.48.
Feb  5 09:30:06 narnia sshd[15046]: User telnet not allowed because not
listed in AllowUsers
Feb  5 09:30:06 narnia sshd[15046]: input_userauth_request: illegal user
telnet
Feb  5 09:30:06 narnia sshd[15046]: Failed none for illegal user telnet
from 194.105.21.48 port 1073 ssh2
Feb  5 09:30:07 narnia sshd[15046]: Failed keyboard-interactive for
illegal user telnet from 194.105.21.48 port 1073 ssh
2
Feb  5 09:30:12 narnia sshd[15046]: Failed password for illegal user
telnet from 194.105.21.48 port 1073 ssh2
Feb  5 09:30:13 narnia sshd[15046]: Failed none for illegal user telnet
from 194.105.21.48 port 1073 ssh2
Feb  5 09:30:14 narnia sshd[15046]: Failed keyboard-interactive for
illegal user telnet from 194.105.21.48 port 1073 ssh
2
Feb  5 09:30:19 narnia sshd[15046]: Connection closed by 194.105.21.48
Feb  5 09:32:19 narnia PAM_pwdb[15069]: password for (telnet/0) changed by
((null)/0)
Feb  5 09:32:43 narnia adduser[15070]: new user: name=bash, uid=0, gid=0,
home=/usr/doc/, shell=/bin/bash
Feb  5 09:33:16 narnia PAM_pwdb[15071]: password for (bash/0) changed by
((null)/0)
Feb  5 09:33:46 narnia sshd[15073]: User bash not allowed because not
listed in AllowUsers
Feb  5 09:33:46 narnia sshd[15073]: input_userauth_request: illegal user
bash
Feb  5 09:33:46 narnia sshd[15073]: Failed none for illegal user bash from
127.0.0.1 port 33853 ssh2
Feb  5 09:33:46 narnia sshd[15073]: Failed keyboard-interactive for
illegal user bash from 127.0.0.1 port 33853 ssh2
Feb  5 09:35:55 narnia sshd[15073]: Failed password for illegal user bash
from 127.0.0.1 port 33853 ssh2
Feb  5 09:36:24 narnia sshd[15073]: Failed password for illegal user bash
from 127.0.0.1 port 33853 ssh2

More information about the openssh-unix-dev mailing list