hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Heads up - Openssh 4.3* 0day
Closed Thread

Forum Jump

Heads up - Openssh 4.3* 0day

Closed Thread Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old
Disabled
 
Join Date: May 2006
Posts: 1,398
Exclamation

Heads up - Openssh 4.3* 0day


Note: I thought I posted this yesterday, either I forgot to hit submit or a mod deleted it for some reason, if mods dont want this thread up lemme know

I have heard this from a reliabl;e source. Was a recent pretty big site that got hacked, they had a forensic speciliast come in and recover the partitons and such. There is like 500 mb of logs and such related to the hack and I have some info on it. It all started at openssh, not a password login either. The hacker was able to exploit ssh and get in without even showing up as system user somehow.

As far as getting the exploit and exact strings used it was not possible as it is encypted ssh traffic. If someone really knows how to decrypt or read that then I can get you the logs.

Anyway, one of the staff of the site that got hacked- his personal server was hacked with same method, after he upgraded to the latest version of ssh they wanst able to get back in.

So there is defintely an SSH 0day, the current Centos/RHEL SSh versions are all vulnerable. To be on the safe side I advise everyone to upgrade via source or a newer package if you can find one.

One easy way to do it is using the update script from directadmin forums - http://directadmin.com/forum/showthread.php?t=22587 It will work on cpanel servers or any other server as well, is not control panel related. I successfully upgraded mine.

IN yum.conf you need to add *SSH* to the excludes so it doesnt get overwrote with yum update.

I guess I would consider this still a rumor as far as public opinion goes but from what I have seen and heard from various people it is true. it doesnt hurt anything to upgrade so why not to be on the safe side?

If anyone else has any info on this post on it.



Sponsored Links
  #2  
Old
Web Hosting Master
 
Join Date: Apr 2006
Location: United Kingdom
Posts: 582
Thanks for the information. I haven't heard anything about this so it may just be a rumour, still it's better to be safe than sorry as you say.

__________________
JSHosts - UK Web Hosting
Web Hosting | Reseller Hosting | Windows VPS | Linux VPS
cPanel | Softaculous | CloudLinux | CloudFlare | R1Soft Backups


  #3  
Old
Community Leader
 
Join Date: Oct 2002
Location: Neck deep in it
Posts: 20,241
Quote:
Originally Posted by felosi View Post
I forgot to hit submit
Or on another forum perhaps. Nothing we did.
Thanks for the heads up, and if you spot anything further about this, by all means add it.

__________________
Having problems, or maybe questions about WHT? Head over to the help desk!



Sponsored Links
  #4  
Old
Web Hosting Master
 
Join Date: Apr 2003
Location: NC
Posts: 2,971
Interesting.

Did they post details anywhere else or notify any vendors or those that were hacked holding the details close?

__________________
John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  #5  
Old
Disabled
 
Join Date: May 2006
Posts: 1,398
well, the hackers sure aren't gonna notify the vendor, they are some group who is against anyone advocating people secure and update their boxes, or anyone posting security advisories, security tutorials, etc. I guess they think everyone should leave the internet vulnerable just for them.

Here is a pcap log of the exploit being used. It is encrypted SSH traffic though so I doubt it is of any use.

The people I heard this from are reliable sources and say they are 100% positive it is an openssh 4.3 exploit, they said updating to the latest version kept the hackers from getting back in. There is a chance they are wrong but even a rumor of an ssh exploit will have me upgrading.

Sometimes, well most of the time, RHEL team is slow on updates and Centos is even slower because they have to wait on them and it takes them around a week or two to make it a centos package so even if they knew it would take some time to get it fixed. A lot of the versions on RHEL software has made me nervous in the past. I do understand it is all about stability and all but I think they should upgrade versions more often instead of just throwing a few patches together on the same version.

From what I have gathered this same hacker group has hacked centos 4 and centos 5 boxes this way. There is a possible exploit on the 2.6.18* RHEL kernels as well. But they did recently release an update so that may have been fixed. I will still run the latest grsecurity to try and be somewhat safe.

Of course we can never make an unhackable server but we cant let people scare us into not trying to keep each other informed. So I guess everyone can just continue to do what they can and hope for the best
Attached Files
File Type: zip opensshd_sniff_bug.zip (189.3 KB, 1370 views)

  #6  
Old
Community Guide
 
Join Date: Apr 2001
Location: Pittsburgh, PA
Posts: 1,303
You do realize OpenSSH 4.3 was released 3.5 years ago?

http://www.openssh.org/security.html

Kevin

  #7  
Old
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 13,197
Quote:
Originally Posted by sigma View Post
You do realize OpenSSH 4.3 was released 3.5 years ago?

http://www.openssh.org/security.html

Kevin
Yes. Redhat backports patches into old versions.

root@corp [~]# rpm -qa |grep openssh
openssh-clients-4.3p2-29.el5
openssh-4.3p2-29.el5
openssh-server-4.3p2-29.el5


Centos 5 machine

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

  #8  
Old
Web Hosting Master
 
Join Date: May 2001
Posts: 2,165
Will it affect server that doesn't use the default ssh port?

-joseph

  #9  
Old
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 13,197
Quote:
Originally Posted by Mxhub View Post
Will it affect server that doesn't use the default ssh port?

-joseph
potentially if someone gets your ssh port.

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

  #10  
Old
Web Hosting Master
 
Join Date: May 2001
Posts: 2,165
Quote:
Originally Posted by Steven View Post
potentially if someone gets your ssh port.
- Remind me of getting some anti-port scanning tool .



-joseph

  #11  
Old
Web Hosting Master
 
Join Date: Mar 2008
Posts: 1,715
If I had to hazard a guess, I'd say that the machine was rooted prior to the attack, and that sshd was backdoored... hence them logging in easily and not showing up in wtmp/utmp/whatever. That would also explain why upgrading from source apparently fixed the problem - it probably nuked the backdoor.

Personally I don't know who your trusted source is, but there's some pretty big sites out there running CentOS and chances are good there'd be bigger fish to fry if someone had a zero-day of that caliber. I wouldn't completely rule it out of course, but still...

__________________
Jamie @ Sabrienix
Now with Mumble Hosting!

  #12  
Old
Disabled
 
Join Date: May 2006
Posts: 1,398
First off no one claimed to be any security expert. I merely stated I heard this from someone who was hacked this way and had heard it from a few other reliable people as well.

Also I said better safe then sorry and that I believed the people I heard it from, I did not state it was fact. Also, I'm sure you don't know who I heard it from in the first place Jason.

Amazing how someone dying to get in a thread and posts insults wont even read the original post...

But also it would be nice to find out it is just a rumor which it may be.

Anyway, that is what this forum is for, even if something was heard through the grapevine or whatever that may effect a lot of people what is the harm in posting it? I dont get it lol pseudo security experts, Anyone who knows me know I NEVER claim to be an expert in security


Last edited by jon-f; 07-04-2009 at 02:20 AM.
  #13  
Old
New Member
 
Join Date: Mar 2009
Posts: 3
Quote:
Originally Posted by felosi View Post
First off no one claimed to be any security expert. I merely stated I heard this from someone who was hacked this way and had heard it from a few other reliable people as well.

Also I said better safe then sorry and that I believed the people I heard it from, I did not state it was fact. Also, I'm sure you don't know who I heard it from in the first place Jason.

Amazing how someone dying to get in a thread and posts insults wont even read the original post...
hm, just gona put a shot in the dark here, nowayout the security expert! aka 'glafkos' and (but not limited too) astalavista staff?

  #14  
Old
Disabled
 
Join Date: May 2006
Posts: 1,398
Quote:
Originally Posted by HRDev Jason View Post
hm, just gona put a shot in the dark here, nowayout the security expert! aka 'glafkos' and (but not limited too) astalavista staff?
No but is one of the people I heard it from. Supposedly the pcap log shows the exploit in action. I dont host him either.

Quote:
Originally Posted by HRDev Hady View Post
Yes, but you're still kicking up a fuss and worrying people although it's completely unnecessary. Where's the proof they were 'hacked this way' besides what some pseudo-security expert believes happened?
Point taken, my goal was not to worry people but I figured it was worth posting and let people make their own minds up.

Oh and I wouldnt have just posted a rumor But I know the one people did have a forensic specialist come in and that was their conclusion on it.

of course it can all be wrong and just rumor, I hope it is.

  #15  
Old
Web Hosting Master
 
Join Date: Apr 2002
Location: Auckland - New Zealand
Posts: 1,572
Well with the smoke the other week regarding ssh, I wouldn't dis this claim totally.

Just keep ssh restricted to only networks that you want to access it and your safe (from an ssh exploit), as always, if you can't get to it there is no chance of being hacked at all. Those with shared access to ssh on port 22, then I guess you need to either make decision to recompile or keep your eyes on notice boards for any disclosure or confirmed case.

__________________
Flash Arcade Games

Closed Thread

Similar Threads
Thread Thread Starter Forum Replies Last Post
0day Microsoft Vulnerabilities izonate Web Hosting Lounge 2 11-15-2002 08:56 AM
OpenSSH and FTP eddy2099 Hosting Security and Technology 9 08-15-2002 12:50 PM
Openssh MikeMc Hosting Security and Technology 4 08-11-2002 04:22 PM
OpenSSH 3.4p1-1 ellebi Dedicated Server 0 06-27-2002 04:32 AM
openssh 3.4 clocker1996 Hosting Security and Technology 8 06-26-2002 05:42 PM

Related posts from TheWhir.com
Title Type Date Posted
Australian Government Makes it Easier for Agencies to Move to Offshore Clouds Web Hosting News 2014-08-12 20:03:06
GoDaddy’s Acquisition of Smart Calendar App Canary More About Team than Technology Web Hosting News 2014-07-11 10:54:18
Core Infrastructure Initiative Provides Funding to Improve OpenSSL Security Web Hosting News 2014-06-02 16:01:16
Hetzner Security Breach Exposes Customer Passwords, Payment Information Web Hosting News 2013-06-07 11:20:12
Rackspace Offers OpenStack Training Sessions as Part of MIT January Term Web Hosting News 2013-01-15 14:05:08


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
WHT Host Brief Email:

We respect your privacy. We will never sell, rent, or give away your address to any outside party, ever.

Advertisement:
Web Hosting News:
WHT Membership
WHT Membership



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?