openssh vulnerability WITH TCP DUMP!

Damien Miller djm at mindrot.org
Fri Nov 4 23:17:25 EST 2005 

On Fri, 04 Nov 2005 11:54:14 +0100
Evert van de Waal <evert.vandewaal at imtech.nl> wrote:

> Hi Guys,
> 
> My Debian box has been hacked a few days ago using an OpenSSH 
> vulnerability. Subsequently my box was used for sending spam and as a 
> hacking platform (according to my ISP).

How do you know it was an OpenSSH vulnerability? You have provided no
evidence for this theory, indeed quite the opposite.

> The aut.log file shows the following:
> Nov  4 06:25:01 localhost su[5715]: + ??? root:nobody
> Nov  4 06:25:01 localhost su[5715]: (pam_unix) session opened for user 
> nobody by
>  (uid=0)

OpenSSH doesn't use uid nobody for anything. So, unless you had a bad
password set for your nobody account or you broke your PAM
configuration in some way, it probably wasn't OpenSSH that was used to
break in to your system. Since you didn't actually post any logs of a
break-in (just a later privilege escalation), it is impossible to tell.

> In the auth.log from my hacked box, I also had these lines. However, I 
> could not correlate them to TCP messages, so they didn't help me. Now, I 
> do have a full tcp dump ;-)

What you posted isn't a tcpdump, it is just a hex packet dump. Have
you gone out of your way to make it hard to read your packet trace? Even
snoop output would have been easier...

> In the dump file, I found three simple messages that did the job:
> 
> First: A SYN request to the ssh port
> 
> 0000  00 01 80 57 16 3d 00 90  d0 af 86 eb 08 00 45 00   ...W.=.. ......E.
> 0010  00 30 3c 2d 00 00 74 06  1b fd d2 f0 11 2c 0a 00   .0<-..t. .....,..
> 0020  00 82 d6 d3 00 16 7e c1  e4 5f 75 72 0c 80 70 02   ......~. ._ur..p.
> 0030  ff ff d8 83 00 00 02 04  05 b4 01 01 04 02         ........ ...... 
> 
> Next the reply from my box (SYN ACK):
> 0000  00 90 d0 af 86 eb 00 01  80 57 16 3d 08 00 45 00   ........ .W.=..E.
> 0010  00 30 00 00 40 00 40 06  4c 2a 0a 00 00 82 d2 f0   .0.. at .@. L*......
> 0020  11 2c 00 16 d6 d3 55 c4  46 41 7e c1 e4 60 70 12   .,....U. FA~..`p.
> 0030  16 d0 a7 8f 00 00 02 04  05 b4 01 01 04 02         ........ ...... 
> 
> An then the killer. A RST message. The weird ACK (2856040895 according 
> to ethereal) seems to be the culprit:
> 0000  00 01 80 57 16 3d 00 90  d0 af 86 eb 08 00 45 00   ...W.=.. ......E.
> 0010  00 28 a3 31 40 00 34 06  b5 00 d2 f0 11 2c 0a 00   .(.1 at .4. .....,..
> 0020  00 82 d6 d3 00 16 7e c1  e4 60 00 00 00 00 50 04   ......~. .`....P.
> 0030  00 00 87 36 00 00 00 00  00 00 00 00               ...6.... ....   

This is not an attack on OpenSSH, it looks like a type of stealth
portscan that completes enough of the 3-way handshake to avoid synproxy
devices but not enough to activate daemons (thereby leaving spoor in
the logs). Someone more interested could probably match it back to one
of nmap's modes.

BTW ethereal reported the wrong ack sequence number (or you transposed
it wrong).

-d

More information about the openssh-unix-dev mailing list