2009/11/12 Adam Hubscher <offbeatadam (at) gmail (dot) com [email concealed]>:
> Early (around midnight-1am CST) this morning we had a widespread attack via
> an unknown vector. In the attack, the only thing that I can find is the
> following (IP blacked out, although it is the attackers' address):
A couple of colleagues at UK universities have reported seeing things
similar to the following (they run RHEL5/CentOS/Scientific Linux) :-
On the compromised systems (RHEL5) the ssh and sshd binaries were
replaced with ones that logged username and plain text password
information to a file called /etc/X11/fonts/misc/s1
The new ssh and sshd had the dates set to the originals, but they didn't
have a and i attributes set. Their new sizes were
334768 /usr/bin/ssh
445512 /usr/sbin/sshd
The output of 'strings /usr/sbin/sshd' included the following:
Where a compromised system had had the openssh-server and openssh-clients
rpms updated after the compromise, 'rpm -V' on openssh-server and
openssh-clients looked ok (but the /etc/X11/fonts/misc/s1 file still
existed).
> Early (around midnight-1am CST) this morning we had a widespread attack via
> an unknown vector. In the attack, the only thing that I can find is the
> following (IP blacked out, although it is the attackers' address):
A couple of colleagues at UK universities have reported seeing things
similar to the following (they run RHEL5/CentOS/Scientific Linux) :-
A user account was used to log in from two sites:
195.22.101.220 (server14.Xuna.nl)
195.22.100.126 (server12.xuna.nl)
On the compromised systems (RHEL5) the ssh and sshd binaries were
replaced with ones that logged username and plain text password
information to a file called /etc/X11/fonts/misc/s1
The new ssh and sshd had the dates set to the originals, but they didn't
have a and i attributes set. Their new sizes were
334768 /usr/bin/ssh
445512 /usr/sbin/sshd
The output of 'strings /usr/sbin/sshd' included the following:
/etc/X11/fonts/misc/S1
/etc/X11/fonts/misc/s1
/etc/X11/fonts/misc/s1.tmp
rm -rf /etc/X11/fonts/misc/s1; cp /etc/X11/fonts/misc/s1.tmp
/etc/X11/fonts/misc/s1; chmod o+w /etc/X11/fonts/misc/s1; rm -rf
/etc/X11/fonts/misc/s1.tmp
/usr/X11R6/bin/xauth
no-X11-forwarding
and 'strings /usr/sbin/ssh' included:
/etc/X11/fonts/misc/S1
/etc/X11/fonts/misc/s1
Where a compromised system had had the openssh-server and openssh-clients
rpms updated after the compromise, 'rpm -V' on openssh-server and
openssh-clients looked ok (but the /etc/X11/fonts/misc/s1 file still
existed).
Regards,
Mark
[ reply ]