OpenSSH Rumors
Over the past 24 hours we've had a number of readers tell us that there is an OpenSSH exploit in active use. We cannot confirm its existence, other than a DOS exploit for OpenSSH that is on Milw0rm. If you have any concrete evidence of this (not rumors or URLs to blogs where people are discussing that there might be a problem) please let us know via our contact form. Again, no rumors and no links to discussions of rumors please. We need reports of active exploitation or other evidence that this a real issue.
UPDATE 1: One reader sent us a URL to a site showing the active exploitation of a vulnerable system that looks like it was recorded last Friday. So far this is the only "evidence" of an attack. It is against an older version of OpenSSH so if this is the source of the rumor, then it is NOT a problem with the most updated version. Without giving away everything (Google is your friend if you want to find the original), here is a snip from the log:
anti-sec:~/pwn# cd xpl/
anti-sec:~/pwn/xpl# ./0pen0wn -h xx.yy.143.133 -p 22
[+] 0wn0wn – anti-sec group
[+] Target: xx.yy.143.133
[+] SSH Port: 22
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
sh-3.2# export HISTFILE=/dev/null
sh-3.2# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-3.2# uname -a
Linux xx.yy.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata
#1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
sh-3.2# head -n1 /etc/shadow
root:$1$t4e0hufX$UH4Q5jTj93EEAODNrSaWO/:14412:0:99999:7:::
sh-3.2# w
03:43:43 up 7 days, 54 min, 1 user, load average: 9.01, 9.78,
10.73
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 125.238.144.224 20:17 7:26m 13:18 13:18 htop
sh-3.2# pwd
/root
UPDATE 2: Just to make things interesting, here is an anonymous email we received today. The author gave us permission to share the comments but not his/her name.
Expect the SSH exploit to be made public before BH/DC. I have proof that I can't share (sorry), that this exploit does exist, does not work against current versions of SSH, and is actively being used by members of the anti-sec movement.
However, you have no reason to believe anything I am telling you here, as its nothing that could not have been made public by the single blog posting that (amazingly) became public yesterday. As well, I am not giving you my contact information, etc. So, its no more then a rumor I am giving you, sorry for that.
It would be really great however if you suggested everyone to upgrade OpenSSH to the newest version, on the off chance the rumor is true thought, right? No harm if you are getting bad information in that case.
Once it becomes public (sorry, I am being fed information by someone that wants me to keep it private, and in trust I can't share), I will have some logs I can forward on to you.
Of course, that "proof" may be the log file that we snipped above. Regardless, keep your OpenSSH updated, control the access, and by all means turn it off if you don't need it (don't uninstall the updated binaries, just turn off the service - that way if it's needed you won't accidentally have an out of date version running.)
UPDATE 3: We've received a few emails that lend credibility to the rumor, and we've received a few more that paint an interesting picture - that the reports are all part of a cover-up to hide another breach that was caused by a sysadmin's mistake. What we are lacking is the actual exploit code. So if this is "for real" would somebody slip us a copy and leave it under the door mat? (Actually, our contact form is the best place.) We won't tell anybody where it came from but it sure would put a lid on this story.
Marcus H. Sachs
Director, SANS Internet Storm Center
Comments
I have received, since sunday morning, at least 35 alerts comming from one of my Debian server hosting Debian 5.0, related to ssh access attempts ... It would be nice to give more update on such attacks ... How could be try to capture the worm/exploit ?
Best regards,
Jean
Jean BRUDER
Jul 7th 2009
1 decade ago
1. All OpenSSH versions are vulnerable
2. Unknown vulnerability was unwittingly patched as part of a version feature upgrade with newer-than-4.3 OpenSSH versions
3. Red Hat engineers failed to properly fix bugs with their backporting efforts.
- n3kt0n
n3kt0n
Jul 7th 2009
1 decade ago
>:(
Frustrated with webhost
Jul 8th 2009
1 decade ago
Steven
Jul 8th 2009
1 decade ago
magian
Jul 8th 2009
1 decade ago
To calm down I encourage people/admin's to use a port-knocking system specially on their SSH service, at least for the meantime.
B!n@ry
Jul 8th 2009
1 decade ago