OpenSSH Rumors
Over the past 24 hours we've had a number of readers tell us that there is an OpenSSH exploit in active use. We cannot confirm its existence, other than a DOS exploit for OpenSSH that is on Milw0rm. If you have any concrete evidence of this (not rumors or URLs to blogs where people are discussing that there might be a problem) please let us know via our contact form. Again, no rumors and no links to discussions of rumors please. We need reports of active exploitation or other evidence that this a real issue.
UPDATE 1: One reader sent us a URL to a site showing the active exploitation of a vulnerable system that looks like it was recorded last Friday. So far this is the only "evidence" of an attack. It is against an older version of OpenSSH so if this is the source of the rumor, then it is NOT a problem with the most updated version. Without giving away everything (Google is your friend if you want to find the original), here is a snip from the log:
anti-sec:~/pwn# cd xpl/
anti-sec:~/pwn/xpl# ./0pen0wn -h xx.yy.143.133 -p 22
[+] 0wn0wn – anti-sec group
[+] Target: xx.yy.143.133
[+] SSH Port: 22
[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]
sh-3.2# export HISTFILE=/dev/null
sh-3.2# id
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
sh-3.2# uname -a
Linux xx.yy.net 2.6.24.5-grsec-hostnoc-4.0.0-x86_64-libata
#1 SMP Mon Aug 25 15:56:12 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux
sh-3.2# head -n1 /etc/shadow
root:$1$t4e0hufX$UH4Q5jTj93EEAODNrSaWO/:14412:0:99999:7:::
sh-3.2# w
03:43:43 up 7 days, 54 min, 1 user, load average: 9.01, 9.78,
10.73
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 125.238.144.224 20:17 7:26m 13:18 13:18 htop
sh-3.2# pwd
/root
UPDATE 2: Just to make things interesting, here is an anonymous email we received today. The author gave us permission to share the comments but not his/her name.
Expect the SSH exploit to be made public before BH/DC. I have proof that I can't share (sorry), that this exploit does exist, does not work against current versions of SSH, and is actively being used by members of the anti-sec movement.
However, you have no reason to believe anything I am telling you here, as its nothing that could not have been made public by the single blog posting that (amazingly) became public yesterday. As well, I am not giving you my contact information, etc. So, its no more then a rumor I am giving you, sorry for that.
It would be really great however if you suggested everyone to upgrade OpenSSH to the newest version, on the off chance the rumor is true thought, right? No harm if you are getting bad information in that case.
Once it becomes public (sorry, I am being fed information by someone that wants me to keep it private, and in trust I can't share), I will have some logs I can forward on to you.
Of course, that "proof" may be the log file that we snipped above. Regardless, keep your OpenSSH updated, control the access, and by all means turn it off if you don't need it (don't uninstall the updated binaries, just turn off the service - that way if it's needed you won't accidentally have an out of date version running.)
UPDATE 3: We've received a few emails that lend credibility to the rumor, and we've received a few more that paint an interesting picture - that the reports are all part of a cover-up to hide another breach that was caused by a sysadmin's mistake. What we are lacking is the actual exploit code. So if this is "for real" would somebody slip us a copy and leave it under the door mat? (Actually, our contact form is the best place.) We won't tell anybody where it came from but it sure would put a lid on this story.
Marcus H. Sachs
Director, SANS Internet Storm Center
* INFOCON Status - staying green
We had some internal discussion overnight about whether to raise our Infocon status to YELLOW because of an 0-day in a Microsoft ActiveX control that was reported yesterday (see the diaries: Internet Explorer and DirectShow). Because there is adequate coverage in the security software community (IDS detection, AV detection, etc.) and Microsoft has a bulletin available we decided to stay GREEN. However, we are flashing the Infocon globe so if you are using Tom Liston's Infocon tracking tool it should be blinking. Consider this a "test of the emergency broadcast system" as well as a reminder to change the batteries in your smoke detectors.
Marcus H. Sachs
Director, SANS Internet Storm Center
Comments