Page 1 of 3 123 LastLast
Results 1 to 25 of 65
  1. #1
    Join Date
    May 2006
    Posts
    1,426

    Exclamation Heads up - Openssh 4.3* 0day

    Note: I thought I posted this yesterday, either I forgot to hit submit or a mod deleted it for some reason, if mods dont want this thread up lemme know

    I have heard this from a reliabl;e source. Was a recent pretty big site that got hacked, they had a forensic speciliast come in and recover the partitons and such. There is like 500 mb of logs and such related to the hack and I have some info on it. It all started at openssh, not a password login either. The hacker was able to exploit ssh and get in without even showing up as system user somehow.

    As far as getting the exploit and exact strings used it was not possible as it is encypted ssh traffic. If someone really knows how to decrypt or read that then I can get you the logs.

    Anyway, one of the staff of the site that got hacked- his personal server was hacked with same method, after he upgraded to the latest version of ssh they wanst able to get back in.

    So there is defintely an SSH 0day, the current Centos/RHEL SSh versions are all vulnerable. To be on the safe side I advise everyone to upgrade via source or a newer package if you can find one.

    One easy way to do it is using the update script from directadmin forums - http://directadmin.com/forum/showthread.php?t=22587 It will work on cpanel servers or any other server as well, is not control panel related. I successfully upgraded mine.

    IN yum.conf you need to add *SSH* to the excludes so it doesnt get overwrote with yum update.

    I guess I would consider this still a rumor as far as public opinion goes but from what I have seen and heard from various people it is true. it doesnt hurt anything to upgrade so why not to be on the safe side?

    If anyone else has any info on this post on it.
      0 Not allowed!

  2. #2
    Join Date
    Apr 2006
    Location
    United Kingdom
    Posts
    618
    Thanks for the information. I haven't heard anything about this so it may just be a rumour, still it's better to be safe than sorry as you say.
      0 Not allowed!

  3. #3
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,074
    Quote Originally Posted by felosi View Post
    I forgot to hit submit
    Or on another forum perhaps. Nothing we did.
    Thanks for the heads up, and if you spot anything further about this, by all means add it.
    Your one stop shop for decentralization
      0 Not allowed!

  4. #4
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    Interesting.

    Did they post details anywhere else or notify any vendors or those that were hacked holding the details close?
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service
      0 Not allowed!

  5. #5
    Join Date
    May 2006
    Posts
    1,426
    well, the hackers sure aren't gonna notify the vendor, they are some group who is against anyone advocating people secure and update their boxes, or anyone posting security advisories, security tutorials, etc. I guess they think everyone should leave the internet vulnerable just for them.

    Here is a pcap log of the exploit being used. It is encrypted SSH traffic though so I doubt it is of any use.

    The people I heard this from are reliable sources and say they are 100% positive it is an openssh 4.3 exploit, they said updating to the latest version kept the hackers from getting back in. There is a chance they are wrong but even a rumor of an ssh exploit will have me upgrading.

    Sometimes, well most of the time, RHEL team is slow on updates and Centos is even slower because they have to wait on them and it takes them around a week or two to make it a centos package so even if they knew it would take some time to get it fixed. A lot of the versions on RHEL software has made me nervous in the past. I do understand it is all about stability and all but I think they should upgrade versions more often instead of just throwing a few patches together on the same version.

    From what I have gathered this same hacker group has hacked centos 4 and centos 5 boxes this way. There is a possible exploit on the 2.6.18* RHEL kernels as well. But they did recently release an update so that may have been fixed. I will still run the latest grsecurity to try and be somewhat safe.

    Of course we can never make an unhackable server but we cant let people scare us into not trying to keep each other informed. So I guess everyone can just continue to do what they can and hope for the best
    Attached Files Attached Files
      0 Not allowed!

  6. #6
    Join Date
    Apr 2001
    Location
    Pittsburgh, PA
    Posts
    1,306
    You do realize OpenSSH 4.3 was released 3.5 years ago?

    http://www.openssh.org/security.html

    Kevin
      0 Not allowed!

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by sigma View Post
    You do realize OpenSSH 4.3 was released 3.5 years ago?

    http://www.openssh.org/security.html

    Kevin
    Yes. Redhat backports patches into old versions.

    root@corp [~]# rpm -qa |grep openssh
    openssh-clients-4.3p2-29.el5
    openssh-4.3p2-29.el5
    openssh-server-4.3p2-29.el5


    Centos 5 machine
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
      0 Not allowed!

  8. #8
    Will it affect server that doesn't use the default ssh port?

    -joseph
      0 Not allowed!

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by Mxhub View Post
    Will it affect server that doesn't use the default ssh port?

    -joseph
    potentially if someone gets your ssh port.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
      0 Not allowed!

  10. #10
    Quote Originally Posted by Steven View Post
    potentially if someone gets your ssh port.
    - Remind me of getting some anti-port scanning tool .



    -joseph
      0 Not allowed!

  11. #11
    Join Date
    Mar 2008
    Posts
    1,717
    If I had to hazard a guess, I'd say that the machine was rooted prior to the attack, and that sshd was backdoored... hence them logging in easily and not showing up in wtmp/utmp/whatever. That would also explain why upgrading from source apparently fixed the problem - it probably nuked the backdoor.

    Personally I don't know who your trusted source is, but there's some pretty big sites out there running CentOS and chances are good there'd be bigger fish to fry if someone had a zero-day of that caliber. I wouldn't completely rule it out of course, but still...
    I used to run the oldest commercial Mumble host.
      0 Not allowed!

  12. #12
    Join Date
    May 2006
    Posts
    1,426
    First off no one claimed to be any security expert. I merely stated I heard this from someone who was hacked this way and had heard it from a few other reliable people as well.

    Also I said better safe then sorry and that I believed the people I heard it from, I did not state it was fact. Also, I'm sure you don't know who I heard it from in the first place Jason.

    Amazing how someone dying to get in a thread and posts insults wont even read the original post...

    But also it would be nice to find out it is just a rumor which it may be.

    Anyway, that is what this forum is for, even if something was heard through the grapevine or whatever that may effect a lot of people what is the harm in posting it? I dont get it lol pseudo security experts, Anyone who knows me know I NEVER claim to be an expert in security
    Last edited by jon-f; 07-04-2009 at 02:20 AM.
      0 Not allowed!

  13. #13
    Quote Originally Posted by felosi View Post
    First off no one claimed to be any security expert. I merely stated I heard this from someone who was hacked this way and had heard it from a few other reliable people as well.

    Also I said better safe then sorry and that I believed the people I heard it from, I did not state it was fact. Also, I'm sure you don't know who I heard it from in the first place Jason.

    Amazing how someone dying to get in a thread and posts insults wont even read the original post...
    hm, just gona put a shot in the dark here, nowayout the security expert! aka 'glafkos' and (but not limited too) astalavista staff?
      0 Not allowed!

  14. #14
    Join Date
    May 2006
    Posts
    1,426
    Quote Originally Posted by HRDev Jason View Post
    hm, just gona put a shot in the dark here, nowayout the security expert! aka 'glafkos' and (but not limited too) astalavista staff?
    No but is one of the people I heard it from. Supposedly the pcap log shows the exploit in action. I dont host him either.

    Quote Originally Posted by HRDev Hady View Post
    Yes, but you're still kicking up a fuss and worrying people although it's completely unnecessary. Where's the proof they were 'hacked this way' besides what some pseudo-security expert believes happened?
    Point taken, my goal was not to worry people but I figured it was worth posting and let people make their own minds up.

    Oh and I wouldnt have just posted a rumor But I know the one people did have a forensic specialist come in and that was their conclusion on it.

    of course it can all be wrong and just rumor, I hope it is.
      0 Not allowed!

  15. #15
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,575
    Well with the smoke the other week regarding ssh, I wouldn't dis this claim totally.

    Just keep ssh restricted to only networks that you want to access it and your safe (from an ssh exploit), as always, if you can't get to it there is no chance of being hacked at all. Those with shared access to ssh on port 22, then I guess you need to either make decision to recompile or keep your eyes on notice boards for any disclosure or confirmed case.
      0 Not allowed!

  16. #16
    Join Date
    Jul 2002
    Location
    Victoria, Australia
    Posts
    36,939
    Thread reopened, if you can't post without throwing insults around, then go play outside, we won't have that sort of talk here.
      0 Not allowed!

  17. #17
    Join Date
    May 2006
    Posts
    1,426
    I do want to post that I did not mean to alarm anyone. This very well could be a rumor as I have not seen the exploit or any kind of logfile I can read showing it happen. I apologize for posting this in the first place but I thought it would be good to at least post what I have heard and let people make up their minds I did believe the people that told me but that doesn't make it fact.

    I always assume in cases like this it is best to at least give a heads up to a possible dangerous exploit and see if anyone else has heard about it. But as of now I will have to say this is unconfirmed and possibly just a rumor
      0 Not allowed!

  18. #18
    Join Date
    Mar 2008
    Posts
    1,717
    Felosi: Was the "security expert" site the one compromised? If so, there's been a rash of that stuff going around a while back and they could be at it again (google "zero for 0wned" or zf0) and I definitely wouldn't rule out a zero-day by any stretch of the imagination.

    If it's just some random site and forensics group came in and said "yup, ssh 0-day" after a few hours of tinkering then collected a check, I'd make a mental note to never hire them... because the backdoor scenario I wrote about above sounds much much more likely and would be my first guess.
    I used to run the oldest commercial Mumble host.
      0 Not allowed!

  19. #19
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,575
    Well this is a bit too much of a coincidence me thinks .. http://www.webhostingtalk.com/showthread.php?t=873387
      0 Not allowed!

  20. #20
    Has anyone had any similar problems with version 5.x?
    █ Wafer VPS
    US North Carolina Based
    Self-Managed OpenVZ VPS Hosting
    Check out our offers!
      0 Not allowed!

  21. #21
    Join Date
    May 2006
    Posts
    1,426
    Quote Originally Posted by fwaggle View Post
    Felosi: Was the "security expert" site the one compromised? If so, there's been a rash of that stuff going around a while back and they could be at it again (google "zero for 0wned" or zf0) and I definitely wouldn't rule out a zero-day by any stretch of the imagination.

    If it's just some random site and forensics group came in and said "yup, ssh 0-day" after a few hours of tinkering then collected a check, I'd make a mental note to never hire them... because the backdoor scenario I wrote about above sounds much much more likely and would be my first guess.
    Yes and I agree with second part too, it is very possible that they just got ripped by those forensic people. At first it was supposed to be a litespeed exploit, they emailed me wanting a refund on the yearly update license they just bought a month before. I said if they provided some proof it happend that way we would gladly refund them, George from litespeed said same thing. They never produced results, I forgot the excuse.

    And then with the SSH exploit. Basically someone signed up for hosting with the domain webhostline or something like that. Me, thinking it is some reseller sets it up and all. An hour or so later I find out it is one of the staff from that security site when he came to me about the exploit and the owner of that security site confirmed it. Turns out those hackers were still after that guy, he had security sites anyway, something I swore I wouldnt host or manage again so I gave him 24 hours to get his vps going and finally had to just terminate it because I dont need the trouble to be honest, call me a coward or whatever no one client is worth the trouble those hackers could cause.

    Well, I guess they got me a lil worried ya know and I figured I would post here to see if anyone has heard anything else. So anyway, it seems there is not enough evidence for making this post so I will have to back off my original position of there defintely being an exploit as it has been called into doubt.

    So ya, Let's just say this is highly unconfirmed.
      0 Not allowed!

  22. #22
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,575
    Highly unconfirmed?

    You post 'Heads up 0 day ssh exploit' - few hours later after much disbelief and random abusive posts that got trimmed up, there pops up another thread posting all the details of an SSH hack against someone on this board!

    Am I missing something?
      0 Not allowed!

  23. #23
    Quote Originally Posted by Steven View Post
    Yes. Redhat backports patches into old versions.

    root@corp [~]# rpm -qa |grep openssh
    openssh-clients-4.3p2-29.el5
    openssh-4.3p2-29.el5
    openssh-server-4.3p2-29.el5


    Centos 5 machine
    Somehow backporting doesn't seem like the best approach. It completely depends on the skill of the coder undertaking the backport.

    The openssh dev's work very hard at security and know the code well. When they release a new version it might be best to just accept it as is. Or, in the case of Linux, base a new version on the portable branch.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com
      0 Not allowed!

  24. #24
    Join Date
    Jun 2009
    Posts
    43
    i would like the group who did research to post here... i agree that the ssh might have very well been backdoored. ssh is open source and always being toyed with so if there was a 0day wouldnt it have been found by now?
      0 Not allowed!

  25. #25
    Join Date
    Jul 2003
    Location
    Goleta, CA
    Posts
    5,566
    Quote Originally Posted by elfz View Post
    i would like the group who did research to post here... i agree that the ssh might have very well been backdoored. ssh is open source and always being toyed with so if there was a 0day wouldnt it have been found by now?
    Absolutely not, it's quite easy to hide things in plain sight.
    Patron: I'd like my free lunch please.
    Cafe Manager: Free lunch? Did you read the fine print stating it was an April Fool's joke.
    Patron: I read the same way I listen, I ignore the parts I don't agree with. I'm suing you for false advertising.
    Cafe Owner: Is our lawyer still working pro bono?
      0 Not allowed!

Page 1 of 3 123 LastLast

Similar Threads

  1. 0day Microsoft Vulnerabilities
    By izonate in forum Web Hosting Lounge
    Replies: 2
    Last Post: 11-15-2002, 08:56 AM
  2. OpenSSH and FTP
    By eddy2099 in forum Hosting Security and Technology
    Replies: 9
    Last Post: 08-15-2002, 12:50 PM
  3. Openssh
    By MikeMc in forum Hosting Security and Technology
    Replies: 4
    Last Post: 08-11-2002, 04:22 PM
  4. OpenSSH 3.4p1-1
    By ellebi in forum Dedicated Server
    Replies: 0
    Last Post: 06-27-2002, 04:32 AM
  5. openssh 3.4
    By clocker1996 in forum Hosting Security and Technology
    Replies: 8
    Last Post: 06-26-2002, 05:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •