[NCLUG] openssh

John L. Bass jbass at dmsd.com
Tue Jan 15 04:48:45 MST 2002 

I cleaned up one of our customers servers this morning with a DDoS bot targeting specific
versions of ssh using the following table:

# cat targets
Small - SSH-1.5-1.2.26,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.5-1.2.26,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.5-1.2.27,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.5-1.2.27,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.5-1.2.31,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.5-1.2.31,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.5-1.2.24-31,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,0
Big - SSH-1.5-1.2.24-31,0x08070000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.5-1.2.32,0x08070001,0x09184090,0x00100900,0x00040009,0x00000001,0x09400001,0x9a,0x0804,0
Big - SSH-1.5-1.2.32,0x09040000,0x08484009,0x00400009,0x00040009,0x00004000,0x09400000,0x9a,0x0804,1
Small - SSH-1.5-1.3.6_F-SECURE_SSH,0x03040000,0x08114000,0x00000004,0x00030003,0x00000000,0x03400000,0x3a,0x0806,0
Big - SSH-1.5-1.3.6_F-SECURE_SSH,0x03070000,0x03184000,0x00000003,0x00010003,0x00000000,0x08300000,0x3a,0x0806,1
Small - SSH-1.5-1.3.7-10,0x08070010,0x08184005,0x00110005,0x00010005,0x00000000,0x08400005,0x5a,0x0805,0
Big - SSH-1.5-1.3.7-10,0x08072100,0x08184020,0x00002204,0x00010004,0x00000420,0x08400620,0x7a,0x0805,0
Small - SSH-1.5-OpenSSH-1.2,0x08070100,0x08184110,0x01100004,0x00020004,0x00022000,0x08400001,0x7a,0x0805,0
Big - SSH-1.5-OpenSSH-1.2,0x08070011,0x0818010c,0x00210004,0x00010004,0x00002100,0x0820010c,0x4a,0x0804,1
Small - SSH-1.5-OpenSSH-1.2.1-3,0x08070000,0x08181000,0x00200106,0x00010006,0x00000016,0x08400000,0x6a,0x0806,0
Big - SSH-1.5-OpenSSH-1.2.1-3,0x08070000,0x08111006,0x0000026,0x00010006,0x0000100c,0x08400100,0x6a,0x0806,1
Small - SSH-1.5-OpenSSH-2.1,0x08070000,0x0818400c,0x00000006,0x00110006,0x00000100,0x08400100,0x6a,0x0806,0
Big - SSH-1.5-OpenSSH-2.1,0x08070000,0x08184000,0x0000001c,0x00011001,0x0000400c,0x08400001,0x7a,0x0804,1
Small - SSH-1.99-OpenSSH-2.1.1,0x0806000c,0x08282002,0x0000002c,0x00040002,0x00110000,0x08400110,0x7a,0x0804,0
Big - SSH-1.99-OpenSSH-2.1.1,0x08070000,0x08184000,0x00010004,0x00010004,0x00000100,0x08400000,0x7a,0x0804,1
Small - SSH-1.99-OpenSSH-2.2.0,0x08071000,0x08184000,0x00000104,0x00010004,0x00010000,0x08400100,0x7a,0x0805,0
Big - SSH-1.99-OpenSSH-2.2.0,0x08070010,0x0818400c,0x00010002,0x00016002,0x00000000,0x0840000c,0x7a,0x0805,1
Small - SSH-1.99-OpenSSH-2.2.0p1,0x08070000,0x08184000,0x0000004c,0x00010004,0x00c00000,0x08400000,0x7a,0x0805,0
Big - SSH-1.99-OpenSSH-2.2.0p1,0x0807000c,0x08184000,0x00000c04,0x00010004,0x00000000,0x08400000,0x7a,0x0805,1
Small - SSH-1.99-OpenSSH_2.2.0p1,0x08180000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x96,0x0805,0
Small - SSH-1.99-OpenSSH_2.2.0p1,0x08180000,0x08184000,0x00000004,0x00010004,0x00000000,0x08400000,0x96,0x0805,0
Big - SSH-1.99-OpenSSH_2.2.0p1,0x080b0000,0x08184000,0x37f8c00c,0x4011000c,0x4011000c,0x4019000c,0x96,0x0805,1
Small - SSH-1.99-OpenSSH_2.3.0p1,0x08070100,0x08184000,0x00011004,0x00010004,0x00c01000,0x08400000,0x3a,0x0805,0
Big - SSH-1.99-OpenSSH_2.3.0p1,0x08070002,0x08184020,0x00010002,0x00010802,0x00011000,0x08400002,0x3a,0x0801,1
Small - SSH-1.99-OpenSSH_2.5.2p2,0x08070110,0x0818400c,0x00011005,0x00010103,0x00100400,0x08400200,0x8a,0x0806,0
Big - SSH-1.99-OpenSSH_2.5.2p2,0x08070111,0x08184011,0x10000004,0x0008000c,0x00110000,0x08400011,0x8a,0x0806,1

so if you are still running an older sshd you might consider upgrading soon, or making sure
you have firewall rules to  block external ssh connections:

ipchains -A input   -s 192.168.0.0/24 22 -p udp -j ACCEPT
ipchains -A input   -s 192.168.0.0/24 22 -p tcp -j ACCEPT
ipchains -A input   -s 0.0.0.0/0      22 -p udp -j REJECT
ipchains -A input   -s 0.0.0.0/0      22 -p tcp -j REJECT


The rootkit wasn't very agressive ...

	installed hooks in /etc/rc.d/rc.local,
	scripts in /etc/rc.d/init.d
	replaced binaries for ps, netstat, sshd
	and hid files under directories in /dev and /root

The directory name under /root of ".. " was cute (note trailing space).

Have fun,
John

More information about the NCLUG mailing list