[Tfug] Anybody here(sic) of a new SSH vulnerability?

[Brian Murphy]

Quoting Choprboy <choprboy at dakotacom.net>:
> All of the attempts have been a SSH login as admin/root/guest/etc. with no
> password or (what I guess is) a default password. I normally (for the past 6
> months) see a couple attempts a week of this type of activity... For the last
> 2 weeks now I have seen it 2-5 times per day against each of half a dozen
> servers across the country...


Yeah, I can agree that activity has been on the rise.  I was able to
perform forensics on a compromised Solaris server a few weeks ago.  The
attacker exploited an NFS "feature" that can place suid root files on a
read/write fileserver.  When the client filesystem wasn't mounted
nosuid, it was an instant root shell.  The attacker downloaded, built
and installed an exploted sshd.  The new sshd had a lot of its bases
covered.  When the "guest" account was to be authenticated, a lot of
the sshd_config safety checks
(PermitEmptyPasswords,PermitRootLogin,etc) were conditioned out with if
statements in the code.  The guest was fast tracked into the server
with a setuid(0) for good luck. :-)  This particular sshd could also
harvest username/password/hostname combos and send them to a remote
gatherer.

Moral of the story:  read/write and no-root-squashed NFS servers with
suid possible NFS clients is not a good idea.  Host and network-based
IDS systems should be used as complements to each other.

Brian

The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of
Arizona.