Page 1 of 5 1234 ... LastLast
Results 1 to 15 of 65
  1. #1
    Join Date
    May 2006
    Posts
    1,398

    Exclamation Heads up - Openssh 4.3* 0day

    Note: I thought I posted this yesterday, either I forgot to hit submit or a mod deleted it for some reason, if mods dont want this thread up lemme know

    I have heard this from a reliabl;e source. Was a recent pretty big site that got hacked, they had a forensic speciliast come in and recover the partitons and such. There is like 500 mb of logs and such related to the hack and I have some info on it. It all started at openssh, not a password login either. The hacker was able to exploit ssh and get in without even showing up as system user somehow.

    As far as getting the exploit and exact strings used it was not possible as it is encypted ssh traffic. If someone really knows how to decrypt or read that then I can get you the logs.

    Anyway, one of the staff of the site that got hacked- his personal server was hacked with same method, after he upgraded to the latest version of ssh they wanst able to get back in.

    So there is defintely an SSH 0day, the current Centos/RHEL SSh versions are all vulnerable. To be on the safe side I advise everyone to upgrade via source or a newer package if you can find one.

    One easy way to do it is using the update script from directadmin forums - http://directadmin.com/forum/showthread.php?t=22587 It will work on cpanel servers or any other server as well, is not control panel related. I successfully upgraded mine.

    IN yum.conf you need to add *SSH* to the excludes so it doesnt get overwrote with yum update.

    I guess I would consider this still a rumor as far as public opinion goes but from what I have seen and heard from various people it is true. it doesnt hurt anything to upgrade so why not to be on the safe side?

    If anyone else has any info on this post on it.
      0 Not allowed!

  2. #2
    Join Date
    Apr 2006
    Location
    United Kingdom
    Posts
    600
    Thanks for the information. I haven't heard anything about this so it may just be a rumour, still it's better to be safe than sorry as you say.
    JSHosts - UK Web Hosting
    Web Hosting | Reseller Hosting | Windows VPS | Linux VPS
    cPanel | Softaculous | CloudLinux | CloudFlare | R1Soft Backups
      0 Not allowed!

  3. #3
    Join Date
    Oct 2002
    Location
    Middle Dearth
    Posts
    21,054
    Quote Originally Posted by felosi View Post
    I forgot to hit submit
    Or on another forum perhaps. Nothing we did.
    Thanks for the heads up, and if you spot anything further about this, by all means add it.
    Having problems, or maybe questions about WHT? Head over to the help desk!
      0 Not allowed!

  4. #4
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,078
    Interesting.

    Did they post details anywhere else or notify any vendors or those that were hacked holding the details close?
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service
      0 Not allowed!

  5. #5
    Join Date
    May 2006
    Posts
    1,398
    well, the hackers sure aren't gonna notify the vendor, they are some group who is against anyone advocating people secure and update their boxes, or anyone posting security advisories, security tutorials, etc. I guess they think everyone should leave the internet vulnerable just for them.

    Here is a pcap log of the exploit being used. It is encrypted SSH traffic though so I doubt it is of any use.

    The people I heard this from are reliable sources and say they are 100% positive it is an openssh 4.3 exploit, they said updating to the latest version kept the hackers from getting back in. There is a chance they are wrong but even a rumor of an ssh exploit will have me upgrading.

    Sometimes, well most of the time, RHEL team is slow on updates and Centos is even slower because they have to wait on them and it takes them around a week or two to make it a centos package so even if they knew it would take some time to get it fixed. A lot of the versions on RHEL software has made me nervous in the past. I do understand it is all about stability and all but I think they should upgrade versions more often instead of just throwing a few patches together on the same version.

    From what I have gathered this same hacker group has hacked centos 4 and centos 5 boxes this way. There is a possible exploit on the 2.6.18* RHEL kernels as well. But they did recently release an update so that may have been fixed. I will still run the latest grsecurity to try and be somewhat safe.

    Of course we can never make an unhackable server but we cant let people scare us into not trying to keep each other informed. So I guess everyone can just continue to do what they can and hope for the best
    Attached Files Attached Files
      0 Not allowed!

  6. #6
    Join Date
    Apr 2001
    Location
    Pittsburgh, PA
    Posts
    1,303
    You do realize OpenSSH 4.3 was released 3.5 years ago?

    http://www.openssh.org/security.html

    Kevin
      0 Not allowed!

  7. #7
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,249
    Quote Originally Posted by sigma View Post
    You do realize OpenSSH 4.3 was released 3.5 years ago?

    http://www.openssh.org/security.html

    Kevin
    Yes. Redhat backports patches into old versions.

    root@corp [~]# rpm -qa |grep openssh
    openssh-clients-4.3p2-29.el5
    openssh-4.3p2-29.el5
    openssh-server-4.3p2-29.el5


    Centos 5 machine
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.
      0 Not allowed!

  8. #8
    Will it affect server that doesn't use the default ssh port?

    -joseph
      0 Not allowed!

  9. #9
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,249
    Quote Originally Posted by Mxhub View Post
    Will it affect server that doesn't use the default ssh port?

    -joseph
    potentially if someone gets your ssh port.
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.
      0 Not allowed!

  10. #10
    Quote Originally Posted by Steven View Post
    potentially if someone gets your ssh port.
    - Remind me of getting some anti-port scanning tool .



    -joseph
      0 Not allowed!

  11. #11
    Join Date
    Mar 2008
    Posts
    1,715
    If I had to hazard a guess, I'd say that the machine was rooted prior to the attack, and that sshd was backdoored... hence them logging in easily and not showing up in wtmp/utmp/whatever. That would also explain why upgrading from source apparently fixed the problem - it probably nuked the backdoor.

    Personally I don't know who your trusted source is, but there's some pretty big sites out there running CentOS and chances are good there'd be bigger fish to fry if someone had a zero-day of that caliber. I wouldn't completely rule it out of course, but still...
    Jamie @ Sabrienix
    Now with Mumble Hosting!
      0 Not allowed!

  12. #12
    Join Date
    May 2006
    Posts
    1,398
    First off no one claimed to be any security expert. I merely stated I heard this from someone who was hacked this way and had heard it from a few other reliable people as well.

    Also I said better safe then sorry and that I believed the people I heard it from, I did not state it was fact. Also, I'm sure you don't know who I heard it from in the first place Jason.

    Amazing how someone dying to get in a thread and posts insults wont even read the original post...

    But also it would be nice to find out it is just a rumor which it may be.

    Anyway, that is what this forum is for, even if something was heard through the grapevine or whatever that may effect a lot of people what is the harm in posting it? I dont get it lol pseudo security experts, Anyone who knows me know I NEVER claim to be an expert in security
    Last edited by jon-f; 07-04-2009 at 02:20 AM.
      0 Not allowed!

  13. #13
    Quote Originally Posted by felosi View Post
    First off no one claimed to be any security expert. I merely stated I heard this from someone who was hacked this way and had heard it from a few other reliable people as well.

    Also I said better safe then sorry and that I believed the people I heard it from, I did not state it was fact. Also, I'm sure you don't know who I heard it from in the first place Jason.

    Amazing how someone dying to get in a thread and posts insults wont even read the original post...
    hm, just gona put a shot in the dark here, nowayout the security expert! aka 'glafkos' and (but not limited too) astalavista staff?
      0 Not allowed!

  14. #14
    Join Date
    May 2006
    Posts
    1,398
    Quote Originally Posted by HRDev Jason View Post
    hm, just gona put a shot in the dark here, nowayout the security expert! aka 'glafkos' and (but not limited too) astalavista staff?
    No but is one of the people I heard it from. Supposedly the pcap log shows the exploit in action. I dont host him either.

    Quote Originally Posted by HRDev Hady View Post
    Yes, but you're still kicking up a fuss and worrying people although it's completely unnecessary. Where's the proof they were 'hacked this way' besides what some pseudo-security expert believes happened?
    Point taken, my goal was not to worry people but I figured it was worth posting and let people make their own minds up.

    Oh and I wouldnt have just posted a rumor But I know the one people did have a forensic specialist come in and that was their conclusion on it.

    of course it can all be wrong and just rumor, I hope it is.
      0 Not allowed!

  15. #15
    Join Date
    Apr 2002
    Location
    Auckland - New Zealand
    Posts
    1,572
    Well with the smoke the other week regarding ssh, I wouldn't dis this claim totally.

    Just keep ssh restricted to only networks that you want to access it and your safe (from an ssh exploit), as always, if you can't get to it there is no chance of being hacked at all. Those with shared access to ssh on port 22, then I guess you need to either make decision to recompile or keep your eyes on notice boards for any disclosure or confirmed case.
      0 Not allowed!

Page 1 of 5 1234 ... LastLast

Similar Threads

  1. 0day Microsoft Vulnerabilities
    By izonate in forum Web Hosting Lounge
    Replies: 2
    Last Post: 11-15-2002, 08:56 AM
  2. OpenSSH and FTP
    By eddy2099 in forum Hosting Security and Technology
    Replies: 9
    Last Post: 08-15-2002, 12:50 PM
  3. Openssh
    By MikeMc in forum Hosting Security and Technology
    Replies: 4
    Last Post: 08-11-2002, 04:22 PM
  4. OpenSSH 3.4p1-1
    By ellebi in forum Dedicated Server
    Replies: 0
    Last Post: 06-27-2002, 04:32 AM
  5. openssh 3.4
    By clocker1996 in forum Hosting Security and Technology
    Replies: 8
    Last Post: 06-26-2002, 05:42 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •