openssh remote add user exploits?

Thu Feb 13 16:06:51 EST 2003

Frank Cusack wrote:
> 
> Kimmo Hovi wrote:
> > 
> > Hello. Recently I discovered some kind of exploit of openssh used against
> > me.

I saw no data in the syslog that indicated that ssh was involved in
the _initial_ exploit.  It only appeared after the crack appeared.  In
the timeline it appeared as if someone cracked first and then tried to
use the tools on the system such as ssh later.

> > Feb  5 09:29:09 narnia adduser[15054]: new user: name=telnet, uid=0,
> > gid=0, home=/usr/doc/, shell=/bin/bash

Was this the first indication of a compromise on the system?  The
logging of an adduser command?  If so this indicates that your system
was cracked at least at this point in time by *some* method.  But
without more information it is impossible to say where and how the
crack was accomplished.

Your logs showed activity over a seven minute time window.  Which
indicates to me a person interacting and not the speed of a program.
Although it could be a program faking being interactive.

> I don't see how this is at all related to openssh having some kind of
> exploit.  Someone locally added a user named 'telnet' and then tried
> to ssh as that user.

Agreed.

> Your machine is already compromised, it seems, in a way that only allows
> creation of new users, maybe?

That would be bizarre, but possible if some network accessable
sysadmin tool that managed user accounts were compromised.

The normal advise is to take the disk offline and to examine the
remains of the attack without actually running any of the programs
from that disk.  You can't trust them.  Examine the files and programs
as data.  Because of the trail left in syslog this does not appear to
be a sophisticated attack or you would never have been able to notice
it.  But as the advice goes, better safe than sorry.

Meanwhile, back to the ranch where most people don't have the
resources to completely analyze the remains of dead aliens.  This
might be you, I don't know.  But if your machine has been cracked then
you can't trust anything on it now.  You are eventually going to have
to recreate your system from clean sources, such as a new distribution
installation.  So you might as well poke the corpse a bit.  Try to
determine any other signature that might be able to identify the hole.
Otherwise having learned nothing if you install the same system you
had before on the disk again you will be vulnerable to the same attack
again.  You said you were running Mandrake and by all reports to me
that is a fine distribution.  If you were current on security patches
you should have been as safe as it was possible to be.

> I was behind my provider's firewall until recently, when I decided to
> allow connections from the net (To host my own web site), so this
> might be an old one (And I'd guess, since I first opened up the
> firewall on Feb 4 2003.

When you opened up the firewall did you open up only specific ports?
Or did you route all traffic to your host?  I am hoping just specific
ports such as SSH and HTTP.  That limits the exposure.  But if all
ports were opened then the possibilities are many.

Bob