OpenSSH 0day FUD
For the last couple of days we've been all witnesses of FUD surrounding a supposed 0-day exploit for OpenSSH skyrocketing.
At this moment, it definitely looks like we're dealing with a hoax – even more, it's not the first time someone said they have a 0-day exploit for SSH. So, let's see some facts about this.
It appears that the whole story started after a post to the Full-Disclosure mailing list on the 4th of July (http://seclists.org/fulldisclosure/2009/Jul/0028.html). The post supposedly shows a hacker group using a 0-day exploit for SSH to compromise a server. After doing some research here, it appears that this is a long standing argument between two guys (or groups). One of our readers submitted the following URL address (http://flx.me/astahack2.txt), which shows another hack.
The "exploit" used in that file is a brute force attack for sure, as can be seen below:
anti-sec:~/pwn/xpl# ./openPWN -h 66.96.220.213 -p 2222 -l=users.txt
See the "-l" option? That supplies the list of users it will try to brute force.
Additionally, a bit below it even prints which user was hacked:
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
user: crownvip
uname: Linux srv01.webhostline.com
2.6.21.5-hostnoc-3.1.7-libata-grsec-32 #1 SMP Mon Feb 11 06:36:58 EST 2008 i686 i686 i386 GNU/Linux
Now, what has been posted on the Full-Disclosure list (the supposed
exploit) looked like this:
anti-sec:~/pwn/xpl# ./0pen0wn -h xx.yy.143.133 -p 22
Same group, same server, same directory – different file name. Why didn't they use the mighty 0-day first time? They brute forced into the server and then had to jail break.
This looks very much like a hoax to me – and this is the only evidence we have about a 0-day? A post from an anonymous e-mail address (hushmail) to the Full-Disclosure mailing list (which, we all have to admit, isn't the best source of verified information)? And this was even enough for some web hosting companies to *shut down* their SSH service? I find this unbelievable.
Finally, OpenSSH developers would probably agree with me – one of the developers sent an e-mail to the Openssh-unix-dev mailing list (http://lwn.net/Articles/340483/) also stating the obvious.
So, I'd like to ask everyone not to spread the FUD anymore. Every piece of evidence we received so far points only to brute force attacks on SSH servers (which have been around for years!). Do keep an eye on your server and install all patches. We will post more information if we receive it, but until then I think there was enough of this FUD.
--
Bojan
Web App Penetration Testing and Ethical Hacking | Amsterdam | Mar 31st - Apr 5th 2025 |
Comments
If this is of interest to you, check out the DenyHosts website at:
http://denyhosts.sourceforge.net/
Ollie
Ollie Sheridan
Jul 9th 2009
1 decade ago
Joel
Jul 9th 2009
1 decade ago
B!n@ry
Jul 9th 2009
1 decade ago
Another idea is to lockdown all your webserver SSH to only come from workstation "A", which is on a totally different network and ISP. Put Denyhosts on "A" and run no webservices on it, use it at a SSH relay station.
It would certainly keep someone from doing a bruteforce SSH to www.yourhost.com
Jason
Jul 9th 2009
1 decade ago
"... this was even enough for some web hosting companies to *shut down* their SSH service ..."
Someone perpetrated a successful DDoS attack against OpenSSH servers.
Of course, the vulnerability was in the operators, not the software. The technique used was social engineering. It's hard to patch OpenSSH against that.
Ben Scott
Jul 9th 2009
1 decade ago
Other examples [for some systems] are FTP, POP3, Telnet, or someone with a login repeatedly attempting to 'SU' with various passwords.
Mysidia
Jul 10th 2009
1 decade ago