SecurityFocus

Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2 Nov 12 2009 05:55PM
Adam Hubscher (offbeatadam gmail com) (1 replies)

Hello Everyone,

Fighting a bit of a nasty morning... anyone seen this before?

We have a number of servers that have password authentication disabled
as well as shell access disabled for all users except those whom have
keys. These servers run cPanel and have been updated to the following specs:

2.6.18-164.el5PAE #1 SMP Thu Sep 3 04:10:44 EDT 2009 i686 i686 i386
GNU/Linux
openssh-4.3p2-36.el5_4.2

Early (around midnight-1am CST) this morning we had a widespread attack
via an unknown vector. In the attack, the only thing that I can find is
the following (IP blacked out, although it is the attackers' address):

Nov 12 04:31:22 sharedserver/sharedserver sshd[16083]: Received
disconnect from 100.100.100.100: 11: No supported authentication methods
available
Nov 12 04:32:14 sharedserver/sharedserver sshd[11265]: Received signal
15; terminating.
Nov 12 04:32:14 sharedserver/sharedserver sshd[16570]: Server listening
on :: port 2.
Nov 12 04:32:14 sharedserver/sharedserver sshd[16570]: error: Bind to
port 2 on 0.0.0.0 failed: Address already in use.
Nov 12 04:32:27 sharedserver/sharedserver sshd[16611]: Accepted password
for root from 100.100.100.100 port 3630 ssh2
Nov 12 04:32:27 sharedserver/sharedserver sshd[16611]:
pam_unix(sshd:session): session opened for user root by (uid=0)

The concerning part is that it obviously appears that there is someone
reloading SSHD, but there is no successful login (at all) via shell
prior to this.

This time corresponds with a modified sshd_config that then allows
password authentication, whereby the user then logs in as root and has a
good time, so to speak.

I know that the following vulnerability is out in the wild:

Linux Kernel 'sock_sendpage()' NULL Pointer Dereference Vulnerability

However, since the user never actually logged into the server from what
I can see, I'm still searching for the real way that this occurred.

I have logs from these servers, if you need other information to
possibly help track this down that is possible. I'm having a hard time
finding the vector for this attack though...

Any assistance would be greatly appreciated.
0? *?H?÷
?0?10 +0? *?H?÷
? 0?ä0?M 6ÒôÞ???
?æªëÓlX0
*?H?÷
0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090706143647Z
100706143647Z0G10UThawte Freemail Member1$0" *?H?÷
offbeatadam (at) gmail (dot) com0 [email concealed]?"0
*?H?÷
?0?
?¶@èç¦í0{ ²Í?bî:?R¥¹½^áheJ±C.ðUÞj&?åÌP0> ÓÐ²éîíÍ;ÂkxL£<hê (À$Ó+³äâ?B°«A¼Ú<óQ??~Sëb8³qi)»Âê»µïWÑGù²½??1Dc\?
ÁËwËb Ô¨?
ìòQC0 ¤%Í¾unÏ¸ÿK
«ïY;{?¨Ûªa©?a¯#³Ù¼]W½LF?ó??¡;uÓÝ[r1?bÙ?î4Æì?Ô??3~[âUdÜÑ-/á8Øè²¼×ÞQ5Wá?@þ¿ÂlêÏ´j/Ñ}T
+bc°FCÌ?ÌsC%£2000 U0offbeatadam (at) gmail (dot) com0 [email concealed]Uÿ00
*?H?÷
;Ýí:ä#r¥??¢w.;¬À×Wñ!=ÊT??õâ"~ßé¥%?Mr$óÆàõ0??¶Pv\³ú?±ò??î?2
û³Mu)EÀíø>H?'æoùy
÷áÞV4R+ø?ÒÞå~ºYÓ °qBI_÷â??[fÛ3d>ë0?ä0?M 6ÒôÞ???
?æªëÓlX0
*?H?÷
0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
090706143647Z
100706143647Z0G10UThawte Freemail Member1$0" *?H?÷
offbeatadam (at) gmail (dot) com0 [email concealed]?"0
*?H?÷
?0?
?¶@èç¦í0{ ²Í?bî:?R¥¹½^áheJ±C.ðUÞj&?åÌP0> ÓÐ²éîíÍ;ÂkxL£<hê (À$Ó+³äâ?B°«A¼Ú<óQ??~Sëb8³qi)»Âê»µïWÑGù²½??1Dc\?
ÁËwËb Ô¨?
ìòQC0 ¤%Í¾unÏ¸ÿK
«ïY;{?¨Ûªa©?a¯#³Ù¼]W½LF?ó??¡;uÓÝ[r1?bÙ?î4Æì?Ô??3~[âUdÜÑ-/á8Øè²¼×ÞQ5Wá?@þ¿ÂlêÏ´j/Ñ}T
+bc°FCÌ?ÌsC%£2000 U0offbeatadam (at) gmail (dot) com0 [email concealed]Uÿ00
*?H?÷
;Ýí:ä#r¥??¢w.;¬À×Wñ!=ÊT??õâ"~ßé¥%?Mr$óÆàõ0??¶Pv\³ú?±ò??î?2
û³Mu)EÀíø>H?'æoùy
÷áÞV4R+ø?ÒÞå~ºYÓ °qBI_÷â??[fÛ3d>ë0??0?¨
0
*?H?÷
0Ñ10 UZA10UWestern Cape10U Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0) *?H?÷
personal-freemail (at) thawte (dot) com0 [email concealed]
030717000000Z
130716235959Z0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0?0
*?H?÷
0?Ä¦<UsUûN¹Ê?ZhÀupßéÿ£ì½Íõ[òv½:aò¿QÎÔåP
0×cZ,?p?ÝÉð+?Zª?qVË¯<çñ?6$*Ï+Õó?w=¾+þ»>¿@?d×§¦»?eÑÅ*T?H§¶Ñ<
a@dr`·û£?0?0Uÿ0ÿ0CU<0:08 6 4?2http://crl.tha
wte.com/ThawtePersonalFreemailCA.crl0U0)U"0 ¤010UPrivateLabel2-1380
*?H?÷
H?ÑP?ê.Ì
£f¬g¯¬¾Â¡C??L!¸ø6ª-?6/ÀôP ?p<ýáabÃÙ:~?±?Å?t?%P?bÇÛ'qW%Ý©?9?? Oe_?Ú÷÷?ÖÆN®öê4å[5MwãV!x?Ü!5Þ$±ÓFÿ]_eO1?q0?m0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA6ÒôÞ???
?æªëÓlX0 + ?Ð0 *?H?÷
1 *?H?÷
0 *?H?÷
1
091112175537Z0# *?H?÷
1?HL9[
¢ÑtÃLà
Ö$¬è»¥×0_ *?H?÷
1R0P0 `?He0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0? +?71x0v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA6ÒôÞ???
?æªëÓlX0?*?H?÷
1x v0b10 UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA6ÒôÞ???
?æªëÓlX0
*?H?÷
?l%f
cl£?ò ö?Õy?
9å_~ÖÛÕFwÚ6£b¢©Ö¹c®¡êE½JHîJ¨g¬Á?e±g$ìý
9Q2H³@ Ñ¬:ïtKÍùD[??ó.¿??×2ü ¿Ä4D?_N
ò:¢=Z½~®&ÐÀä0cò Gò¯?|Ü''?ãfÑ6¨({±m#½@ºÁV§ÉW^?{I5?üü¡ISÀ?B4f`õ§°J$?ÄK¹Ä?÷?Á7Ã+r¬¿.
§Æ-
? rÿjÚÏÅ?{óMÖú<?eèöæuÕ.©?4?ßã¿{õùxUÐ¹ý*ÊÿöYÃ

[ reply ]

Re: Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2 Nov 13 2009 04:46PM
Mark Mahabir (mark mahabir gmail com)