[NCLUG] [new openssh exploit?]
Michael Dwyer
mdwyer at sixthdimension.com
Wed Dec 12 16:16:44 MST 2001
Vulnerability lists are trying to hunt this one down. If you have
seen any attacks on your own machines, I'm sure they would certainly
appreciate the logs -- especially those from Snort or TCPDump...
Vicki Irwin wrote:
>
> Hi all,
>
> This is an article for tonight's diary, but we wanted to send it
> out early in case any of you can help us gather information and
> nail down these rumors. We are pursuing information via the channels
> we have, and would greatly appreciate any help anyone can offer!
>
> Thanks!
> --Vicki
>
> ===================================================================
> SSH Attack Activity Update -- Many Rumors Circulating
> -----------------------------------------------------
> A few posts have been made regarding a rumored remote exploit for
> OpenSSH 2.9 (or some other recent OpenSSH version). The claim is
> that an exploit exists, is being circulated in the "underground",
> and is actively being used to compromise machines.
> http://archives.neohapsis.com/archives/incidents/2001-12/0126.html
> http://archives.neohapsis.com/archives/incidents/2001-12/0144.html
> http://archives.neohapsis.com/archives/incidents/2001-12/0150.html
> http://forum.sans.org/discus/messages/79/973.html#POST3548
>
> Further, a few people have posted that they are noticing an increase
> SSH scanning in general. Some have even suggested that worm activity
> may be to blame.
> http://forum.sans.org/discus/messages/79/973.html#POST3546
> http://archives.neohapsis.com/archives/incidents/2001-12/0103.html
>
> A posting to the UNISOG list today (no link available) reads:
> "Anyone else see a high volume of SSH (22/TCP) scans from various .DE
> hosts in the last day or so? We have."
>
> Further, an anonymous tip given to our incident handlers claimed
> that there are "unpublished remote exploits" for use against popular,
> recent versions of OpenSSH.
>
> In this light we decided to take a close look at the Storm
> Center data for port 22. An activity summary is below. Note
> that the number of distinct sources generating SSH probes has
> risen a bit over the last few days, and the number of scans
> (single source, 10+ distinct targets) has increased slightly.
>
> +------------+------------+------------------+-------------+
> | date | sum(count) | #Sources | #Scans |
> +------------+------------+------------------+-------------+
> | 2001-11-10 | 1335 | 42 | 10 |
> | 2001-11-11 | 67846 | 46 | 11 |
> | 2001-11-12 | 3074 | 60 | 9 |
> | 2001-11-13 | 1533 | 57 | 10 |
> | 2001-11-14 | 817 | 49 | 5 |
> | 2001-11-15 | 1789 | 47 | 7 |
> | 2001-11-16 | 3751 | 65 | 16 |
> | 2001-11-17 | 1455 | 49 | 11 |
> | 2001-11-18 | 244236 | 60 | 6 |
> | 2001-11-19 | 1737 | 53 | 0 |
> | 2001-11-20 | 76838 | 60 | 6 |
> | 2001-11-21 | 16377 | 60 | 8 |
> | 2001-11-22 | 2629 | 58 | 0 |
> | 2001-11-23 | 2522 | 58 | 20 |
> | 2001-11-24 | 3279 | 69 | 11 |
> | 2001-11-25 | 2816 | 75 | 10 |
> | 2001-11-26 | 1735 | 77 | 14 |
> | 2001-11-27 | 7484 | 57 | 17 |
> | 2001-11-28 | 7112 | 76 | 14 |
> | 2001-11-29 | 8437 | 70 | 17 |
> | 2001-11-30 | 14052 | 70 | 16 |
> | 2001-12-01 | 7532 | 73 | 12 |
> | 2001-12-02 | 2101 | 78 | 14 |
> | 2001-12-03 | 30247 | 88 | 15 |
> | 2001-12-04 | 1403 | 78 | 5 |
> | 2001-12-05 | 2827 | 61 | 15 |
> | 2001-12-06 | 2472 | 79 | 20 |
> | 2001-12-07 | 97328 | 78 | 20 |
> | 2001-12-08 | 1681 | 85 | 18 |
> | 2001-12-09 | 1211 | 83 | 14 |
> | 2001-12-10 | 185635 | 85 | 21 |
> | 2001-12-11 | 5792 | 84 | 7 |
> +------------+------------+------------------+-------------+
>
> The thing that jumps out most from the table however is that the
> number of probes spikes dramatically on several days (including
> December 10th). Checking the data shows that these large jumps are
> primarily due to a few huge scans. The very large scans are
> summarized below. The last column of the table shows the SSH
> banner announced by the attacking machine, if any.
>
> Date #Targets Attacking IP
> ----- -------- -------------
> 2001-11-11 66458 200.32.3.114 www.nixonnet.com.ar
> 2001-11-18 95177 211.233.3.198 Korea Server Hosting Provider SSH-1.99-OpenSSH_2.3.0p1
> 2001-11-18 76846 216.206.101.2 216-206-101-2.hsacorp.net SSH-1.99-OpenSSH_2.5.1p1
> 2001-11-20 16457 128.121.94.156 Verio
> 2001-11-21 15667 24.226.33.9 d226-33-9.home.cgocable.net SSH-1.5-1.2.32
> 2001-11-30 6001 141.22.194.53 bau01.rzbt.haw-hamburg.de
> 2001-12-03 26983 216.166.147.79 ccs79.cotcomsol.com SSH-1.99-OpenSSH_2.9p2
> 2001-12-07 92991 195.249.123.123 garfield.freesite.dk SSH-1.5-1.2.32
> 2001-12-10 84582 138.131.170.38 amager.csem.ch
> 2001-12-10 90501 147.83.54.69 titania1.upc.es
> 2001-12-10 5999 195.184.176.164 gep19-677.szolcatv.broadband.hu
> 2001-12-10 3328 212.80.183.226 Cable&Wireless ISP Switzerland
>
> We note that the 12-03 attacker is running OpenSSH_2.9p2. This is interesting
> in light of a posting made to the SF incidents list today:
> http://archives.neohapsis.com/archives/incidents/2001-12/0150.html
>
> "Version 2.9.2 has a exploit that's for sure. The rumor is that TESO made it,
> and it somehow reased some other underground 'crews' or 'groups'. Also i am
> trying to find more informatino on the local exploit for SSHD 2.4.0. More
> information on that soon."
>
> If anyone has more information on a new remote SSH vulnerability/exploit,
> or information on SSH worm activity, please let us know. We are currently
> pursuing other channels of information as well. At this point we have obtained
> two binaries that are believed to be associated with remote exploits against
> OpenSSH 2.5 and 2.9, and SSH worm activity. These binaries are currently being
> analyzed and we will report any further findings when they become avaialble.
>
> Note: We are aware of the following vulnerabilities, and believe
> that neither of these is the "rumored" issue.
>
> CRC32 Compensation Attack Detector (Remote):
> http://www.incidents.org/diary.php?id=16
>
> UseLogin Vulnerability (Local):
> http://www.incidents.org/diary.php?id=110
>
> ============================================================================
More information about the NCLUG
mailing list