openssh remote add user exploits?

James Dennis jdennis at law.harvard.edu
Fri Feb 14 01:44:32 EST 2003 

Um.. your using openssh 3.1. That's been known to be vulnerable and has 
known exploits. You've been cracked buddy...

-James

Kimmo Hovi wrote:
> Hello. Recently I discovered some kind of exploit of openssh used against
> me. For configuration info, I am using Mandrake 8.2 with the openssh
> package openssh-3.1p1-1mdk.
> 
> Fortunately, I was at least somewhat security-aware, and have an
> AllowUsers parameter in my sshd config file. I Used to allow only public
> key logins, but ditched that when I found myself needing access from
> multiple places. I was behind my provider's firewall until recently, when
> I decided to allow connections from the net (To host my own web site), so
> this might be an old one (And I'd guess, since I first opened up the
> firewall on Feb 4 2003.
> 
> Anyway, The services I have (that is, had) running, are httpd (httpd and
> httpd-perl in mandrake), sshd, and xdm. (All default mandrake, no source
> builds). The following is a log snippet. What's going on?:
> 
> ps, I am _NOT_ reading this list, so please cc: all replies to me. Thanks
> 
> Feb  5 09:29:09 narnia adduser[15054]: new user: name=telnet, uid=0,
> gid=0, home=/usr/doc/, shell=/bin/bash
> Feb  5 09:29:48 narnia PAM_pwdb[15055]: new password not acceptable
> Feb  5 09:30:06 narnia sshd[15046]: Could not reverse map address
> 194.105.21.48.
> Feb  5 09:30:06 narnia sshd[15046]: User telnet not allowed because not
> listed in AllowUsers
> Feb  5 09:30:06 narnia sshd[15046]: input_userauth_request: illegal user
> telnet
> Feb  5 09:30:06 narnia sshd[15046]: Failed none for illegal user telnet
> from 194.105.21.48 port 1073 ssh2
> Feb  5 09:30:07 narnia sshd[15046]: Failed keyboard-interactive for
> illegal user telnet from 194.105.21.48 port 1073 ssh
> 2
> Feb  5 09:30:12 narnia sshd[15046]: Failed password for illegal user
> telnet from 194.105.21.48 port 1073 ssh2
> Feb  5 09:30:13 narnia sshd[15046]: Failed none for illegal user telnet
> from 194.105.21.48 port 1073 ssh2
> Feb  5 09:30:14 narnia sshd[15046]: Failed keyboard-interactive for
> illegal user telnet from 194.105.21.48 port 1073 ssh
> 2
> Feb  5 09:30:19 narnia sshd[15046]: Connection closed by 194.105.21.48
> Feb  5 09:32:19 narnia PAM_pwdb[15069]: password for (telnet/0) changed by
> ((null)/0)
> Feb  5 09:32:43 narnia adduser[15070]: new user: name=bash, uid=0, gid=0,
> home=/usr/doc/, shell=/bin/bash
> Feb  5 09:33:16 narnia PAM_pwdb[15071]: password for (bash/0) changed by
> ((null)/0)
> Feb  5 09:33:46 narnia sshd[15073]: User bash not allowed because not
> listed in AllowUsers
> Feb  5 09:33:46 narnia sshd[15073]: input_userauth_request: illegal user
> bash
> Feb  5 09:33:46 narnia sshd[15073]: Failed none for illegal user bash from
> 127.0.0.1 port 33853 ssh2
> Feb  5 09:33:46 narnia sshd[15073]: Failed keyboard-interactive for
> illegal user bash from 127.0.0.1 port 33853 ssh2
> Feb  5 09:35:55 narnia sshd[15073]: Failed password for illegal user bash
> from 127.0.0.1 port 33853 ssh2
> Feb  5 09:36:24 narnia sshd[15073]: Failed password for illegal user bash
> from 127.0.0.1 port 33853 ssh2
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 

-- 
James Dennis
Harvard Law School

"Not everything that counts can be counted,
and not everything that can be counted counts."

More information about the openssh-unix-dev mailing list