Results 1 to 25 of 65
Thread: Heads up - Openssh 4.3* 0day
-
07-03-2009, 05:54 PM #1Disabled
- Join Date
- May 2006
- Posts
- 1,426
Heads up - Openssh 4.3* 0day
Note: I thought I posted this yesterday, either I forgot to hit submit or a mod deleted it for some reason, if mods dont want this thread up lemme know
I have heard this from a reliabl;e source. Was a recent pretty big site that got hacked, they had a forensic speciliast come in and recover the partitons and such. There is like 500 mb of logs and such related to the hack and I have some info on it. It all started at openssh, not a password login either. The hacker was able to exploit ssh and get in without even showing up as system user somehow.
As far as getting the exploit and exact strings used it was not possible as it is encypted ssh traffic. If someone really knows how to decrypt or read that then I can get you the logs.
Anyway, one of the staff of the site that got hacked- his personal server was hacked with same method, after he upgraded to the latest version of ssh they wanst able to get back in.
So there is defintely an SSH 0day, the current Centos/RHEL SSh versions are all vulnerable. To be on the safe side I advise everyone to upgrade via source or a newer package if you can find one.
One easy way to do it is using the update script from directadmin forums - http://directadmin.com/forum/showthread.php?t=22587 It will work on cpanel servers or any other server as well, is not control panel related. I successfully upgraded mine.
IN yum.conf you need to add *SSH* to the excludes so it doesnt get overwrote with yum update.
I guess I would consider this still a rumor as far as public opinion goes but from what I have seen and heard from various people it is true. it doesnt hurt anything to upgrade so why not to be on the safe side?
If anyone else has any info on this post on it.0
-
07-03-2009, 06:22 PM #2Web Hosting Master
- Join Date
- Apr 2006
- Location
- United Kingdom
- Posts
- 618
Thanks for the information. I haven't heard anything about this so it may just be a rumour, still it's better to be safe than sorry as you say.
0
-
07-03-2009, 06:40 PM #30
-
07-03-2009, 07:46 PM #4Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
Interesting.
Did they post details anywhere else or notify any vendors or those that were hacked holding the details close?John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service0
-
07-03-2009, 09:06 PM #5Disabled
- Join Date
- May 2006
- Posts
- 1,426
well, the hackers sure aren't gonna notify the vendor, they are some group who is against anyone advocating people secure and update their boxes, or anyone posting security advisories, security tutorials, etc. I guess they think everyone should leave the internet vulnerable just for them.
Here is a pcap log of the exploit being used. It is encrypted SSH traffic though so I doubt it is of any use.
The people I heard this from are reliable sources and say they are 100% positive it is an openssh 4.3 exploit, they said updating to the latest version kept the hackers from getting back in. There is a chance they are wrong but even a rumor of an ssh exploit will have me upgrading.
Sometimes, well most of the time, RHEL team is slow on updates and Centos is even slower because they have to wait on them and it takes them around a week or two to make it a centos package so even if they knew it would take some time to get it fixed. A lot of the versions on RHEL software has made me nervous in the past. I do understand it is all about stability and all but I think they should upgrade versions more often instead of just throwing a few patches together on the same version.
From what I have gathered this same hacker group has hacked centos 4 and centos 5 boxes this way. There is a possible exploit on the 2.6.18* RHEL kernels as well. But they did recently release an update so that may have been fixed. I will still run the latest grsecurity to try and be somewhat safe.
Of course we can never make an unhackable server but we cant let people scare us into not trying to keep each other informed. So I guess everyone can just continue to do what they can and hope for the best0
-
07-03-2009, 09:51 PM #6Web Hosting Master
- Join Date
- Apr 2001
- Location
- Pittsburgh, PA
- Posts
- 1,306
You do realize OpenSSH 4.3 was released 3.5 years ago?
http://www.openssh.org/security.html
Kevin0
-
07-03-2009, 09:55 PM #7Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
07-03-2009, 11:09 PM #8Web Hosting Master
- Join Date
- May 2001
- Posts
- 2,167
Will it affect server that doesn't use the default ssh port?
-joseph0
-
07-03-2009, 11:10 PM #9Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance0
-
07-03-2009, 11:14 PM #10Web Hosting Master
- Join Date
- May 2001
- Posts
- 2,167
0
-
07-04-2009, 02:06 AM #11Web Hosting Master
- Join Date
- Mar 2008
- Posts
- 1,717
If I had to hazard a guess, I'd say that the machine was rooted prior to the attack, and that sshd was backdoored... hence them logging in easily and not showing up in wtmp/utmp/whatever. That would also explain why upgrading from source apparently fixed the problem - it probably nuked the backdoor.
Personally I don't know who your trusted source is, but there's some pretty big sites out there running CentOS and chances are good there'd be bigger fish to fry if someone had a zero-day of that caliber. I wouldn't completely rule it out of course, but still...I used to run the oldest commercial Mumble host.0
-
07-04-2009, 02:16 AM #12Disabled
- Join Date
- May 2006
- Posts
- 1,426
First off no one claimed to be any security expert. I merely stated I heard this from someone who was hacked this way and had heard it from a few other reliable people as well.
Also I said better safe then sorry and that I believed the people I heard it from, I did not state it was fact. Also, I'm sure you don't know who I heard it from in the first place Jason.
Amazing how someone dying to get in a thread and posts insults wont even read the original post...
But also it would be nice to find out it is just a rumor which it may be.
Anyway, that is what this forum is for, even if something was heard through the grapevine or whatever that may effect a lot of people what is the harm in posting it? I dont get it lol pseudo security experts, Anyone who knows me know I NEVER claim to be an expert in securityLast edited by jon-f; 07-04-2009 at 02:20 AM.
0
-
07-04-2009, 02:19 AM #13New Member
- Join Date
- Mar 2009
- Posts
- 3
0
-
07-04-2009, 02:23 AM #14Disabled
- Join Date
- May 2006
- Posts
- 1,426
No but is one of the people I heard it from. Supposedly the pcap log shows the exploit in action. I dont host him either.
Point taken, my goal was not to worry people but I figured it was worth posting and let people make their own minds up.
Oh and I wouldnt have just posted a rumor But I know the one people did have a forensic specialist come in and that was their conclusion on it.
of course it can all be wrong and just rumor, I hope it is.0
-
07-04-2009, 02:25 AM #15Web Hosting Master
- Join Date
- Apr 2002
- Location
- Auckland - New Zealand
- Posts
- 1,575
Well with the smoke the other week regarding ssh, I wouldn't dis this claim totally.
Just keep ssh restricted to only networks that you want to access it and your safe (from an ssh exploit), as always, if you can't get to it there is no chance of being hacked at all. Those with shared access to ssh on port 22, then I guess you need to either make decision to recompile or keep your eyes on notice boards for any disclosure or confirmed case.0
-
07-04-2009, 03:53 AM #16
Thread reopened, if you can't post without throwing insults around, then go play outside, we won't have that sort of talk here.
0
-
07-04-2009, 04:23 AM #17Disabled
- Join Date
- May 2006
- Posts
- 1,426
I do want to post that I did not mean to alarm anyone. This very well could be a rumor as I have not seen the exploit or any kind of logfile I can read showing it happen. I apologize for posting this in the first place but I thought it would be good to at least post what I have heard and let people make up their minds I did believe the people that told me but that doesn't make it fact.
I always assume in cases like this it is best to at least give a heads up to a possible dangerous exploit and see if anyone else has heard about it. But as of now I will have to say this is unconfirmed and possibly just a rumor0
-
07-04-2009, 10:37 AM #18Web Hosting Master
- Join Date
- Mar 2008
- Posts
- 1,717
Felosi: Was the "security expert" site the one compromised? If so, there's been a rash of that stuff going around a while back and they could be at it again (google "zero for 0wned" or zf0) and I definitely wouldn't rule out a zero-day by any stretch of the imagination.
If it's just some random site and forensics group came in and said "yup, ssh 0-day" after a few hours of tinkering then collected a check, I'd make a mental note to never hire them... because the backdoor scenario I wrote about above sounds much much more likely and would be my first guess.I used to run the oldest commercial Mumble host.0
-
07-04-2009, 08:24 PM #19Web Hosting Master
- Join Date
- Apr 2002
- Location
- Auckland - New Zealand
- Posts
- 1,575
Well this is a bit too much of a coincidence me thinks .. http://www.webhostingtalk.com/showthread.php?t=873387
0
-
07-04-2009, 08:52 PM #20WHT Addict
- Join Date
- Jul 2007
- Posts
- 111
Has anyone had any similar problems with version 5.x?
0
-
07-04-2009, 09:00 PM #21Disabled
- Join Date
- May 2006
- Posts
- 1,426
Yes and I agree with second part too, it is very possible that they just got ripped by those forensic people. At first it was supposed to be a litespeed exploit, they emailed me wanting a refund on the yearly update license they just bought a month before. I said if they provided some proof it happend that way we would gladly refund them, George from litespeed said same thing. They never produced results, I forgot the excuse.
And then with the SSH exploit. Basically someone signed up for hosting with the domain webhostline or something like that. Me, thinking it is some reseller sets it up and all. An hour or so later I find out it is one of the staff from that security site when he came to me about the exploit and the owner of that security site confirmed it. Turns out those hackers were still after that guy, he had security sites anyway, something I swore I wouldnt host or manage again so I gave him 24 hours to get his vps going and finally had to just terminate it because I dont need the trouble to be honest, call me a coward or whatever no one client is worth the trouble those hackers could cause.
Well, I guess they got me a lil worried ya know and I figured I would post here to see if anyone has heard anything else. So anyway, it seems there is not enough evidence for making this post so I will have to back off my original position of there defintely being an exploit as it has been called into doubt.
So ya, Let's just say this is highly unconfirmed.0
-
07-04-2009, 09:12 PM #22Web Hosting Master
- Join Date
- Apr 2002
- Location
- Auckland - New Zealand
- Posts
- 1,575
Highly unconfirmed?
You post 'Heads up 0 day ssh exploit' - few hours later after much disbelief and random abusive posts that got trimmed up, there pops up another thread posting all the details of an SSH hack against someone on this board!
Am I missing something?0
-
07-05-2009, 06:25 AM #23******* Unleaded
- Join Date
- Feb 2004
- Posts
- 3,849
Somehow backporting doesn't seem like the best approach. It completely depends on the skill of the coder undertaking the backport.
The openssh dev's work very hard at security and know the code well. When they release a new version it might be best to just accept it as is. Or, in the case of Linux, base a new version on the portable branch.edgedirector.com
managed dns global failover and load balance (gslb)
exactstate.com
uptime report for webhostingtalk.com0
-
07-05-2009, 04:29 PM #24Junior Guru Wannabe
- Join Date
- Jun 2009
- Posts
- 43
i would like the group who did research to post here... i agree that the ssh might have very well been backdoored. ssh is open source and always being toyed with so if there was a 0day wouldnt it have been found by now?
0
-
07-05-2009, 04:55 PM #25Predatory Poster
- Join Date
- Jul 2003
- Location
- Goleta, CA
- Posts
- 5,566
Patron: I'd like my free lunch please.
Cafe Manager: Free lunch? Did you read the fine print stating it was an April Fool's joke.
Patron: I read the same way I listen, I ignore the parts I don't agree with. I'm suing you for false advertising.
Cafe Owner: Is our lawyer still working pro bono?0
Similar Threads
-
0day Microsoft Vulnerabilities
By izonate in forum Web Hosting LoungeReplies: 2Last Post: 11-15-2002, 08:56 AM -
OpenSSH and FTP
By eddy2099 in forum Hosting Security and TechnologyReplies: 9Last Post: 08-15-2002, 12:50 PM -
Openssh
By MikeMc in forum Hosting Security and TechnologyReplies: 4Last Post: 08-11-2002, 04:22 PM -
OpenSSH 3.4p1-1
By ellebi in forum Dedicated ServerReplies: 0Last Post: 06-27-2002, 04:32 AM -
openssh 3.4
By clocker1996 in forum Hosting Security and TechnologyReplies: 8Last Post: 06-26-2002, 05:42 PM