My next class:

Scanning for Fortinet ssh backdoor

Published: 2016-01-21. Last Updated: 2016-01-21 21:13:53 UTC
by Jim Clausing (Version: 1)
4 comment(s)

On 11 Jan, a Python script was posted on the full-disclosure mailing list that took advantage of a hardcoded ssh password in some older versions of various products from Fortinet (see complete list in Ref [1] below).  Looking at our collected ssh data, we've seen an increase in scanning for those devices in the days since the revelation of the vulnerability.  Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18).  So if you haven't already applied patches and put ACLs/firewall rules in front of these devices limiting access to ssh from only specific management IPs, you have probably already been scanned and possibly pwned.

References:

[1] http://www.fortiguard.com/advisory/multiple-products-ssh-undocumented-login-vulnerability

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

4 comment(s)
My next class:

Comments

Do you mind telling me what usrnam & pw you guys put in your honeypot?
I'm not sure what you are asking, these reports come from kippo and cowrie installations around the internet. For this graph I just pulled out attempts to ssh in with a username of Fortimanager_Access which is the account with the hardcoded password on the vulnerable devices.
Sorry, my bad. I thought you pulled that out from your own Kippo. Maybe I should start uploading mine.
No problem. We encourage more folks to upload their ssh logs. Johannes tells me this is actually easiest to do in cowrie rather than kippo. You just need to put the userid and API key in the config it is already builtin. I haven't moved my own kippo sensors over to cowrie yet, but plan to work on that this weekend now that I have a cowrie deploy script for MHN. Perhaps I'll report on how that worked on my next handler shift.

Diary Archives