Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.security.ssh > #238
| From | Marko Rauhamaa <marko@pacujo.net> |
|---|---|
| Newsgroups | comp.security.ssh |
| Subject | SSH intrusion in Fedora 16 |
| Date | 2011-12-20 14:33 +0200 |
| Message-ID | <m3wr9rs9rg.fsf@elektro.pacujo.net> (permalink) |
| Organization | NBL Networks Oy |
[Multipart message — attachments visible in raw view] - view raw
I strongly suspect my home server has been broken into. I noticed the
intrusion by sheer luck by wondering why the fan was on and the CPU
utilization was at 100%. The "top" utility showed that "cc1" processes
were coming and going. I tried to identify the source with "ps" which
revealed:
$ ps ax | grep cc1
31054 pts/11 R+ 0:00 /usr/libexec/gcc/x86_64-redhat-linux/4.6\
.2/cc1 -quiet -I . -I . -D SSHDIR="/etc/ssh" -D _PATH_SSH_PROGRAM="\
/usr/local/bin/ssh" -D _PATH_SSH_ASKPASS_DEFAULT="/usr/local/libexe\
c/ssh-askpass" -D _PATH_SFTP_SERVER="/usr/local/libexec/sftp-server\
" -D _PATH_SSH_KEY_SIGN="/usr/local/libexec/ssh-keysign" -D _PATH_S\
SH_PKCS11_HELPER="/usr/local/libexec/ssh-pkcs11-helper" -D _PATH_SS\
H_PIDDIR="/var/run" -D _PATH_PRIVSEP_CHROOT_DIR="/var/empty" -D SSH\
_RAND_HELPER="/usr/local/libexec/ssh-rand-helper" -D HAVE_CONFIG_H \
loginrec.c -quiet -dumpbase loginrec.c -mtune=generic -march=x86-64\
-auxbase loginrec -g -O2 -Wall -Wpointer-arith -Wuninitialized -Ws\
ign-compare -Wno-pointer-sign -Wformat-security -fno-strict-aliasin\
g -fno-builtin-memset -fstack-protector-all -o /tmp/cci7t8b5.s
$ ps -ef | grep cc1
root 31098 31097 0 10:10 pts/11 00:00:00 /usr/libexec/gcc/x8\
6_64-redhat-linux/4.6.2/cc1 -quiet -I . -I . -D SSHDIR="/etc/ssh" -\
D _PATH_SSH_PROGRAM="/usr/local/bin/ssh" -D _PATH_SSH_ASKPASS_DEFAU\
LT="/usr/local/libexec/ssh-askpass" -D _PATH_SFTP_SERVER="/usr/loca\
l/libexec/sftp-server" -D _PATH_SSH_KEY_SIGN="/usr/local/libexec/ss\
h-keysign" -D _PATH_SSH_PKCS11_HELPER="/usr/local/libexec/ssh-pkcs1\
1-helper" -D _PATH_SSH_PIDDIR="/var/run" -D _PATH_PRIVSEP_CHROOT_DI\
R="/var/empty" -D SSH_RAND_HELPER="/usr/local/libexec/ssh-rand-help\
er" -D HAVE_CONFIG_H ssh-keygen.c -quiet -dumpbase ssh-keygen.c -mt\
une=generic -march=x86-64 -auxbase ssh-keygen -g -O2 -Wall -Wpointe\
r-arith -Wuninitialized -Wsign-compare -Wno-pointer-sign -Wformat-s\
ecurity -fno-strict-aliasing -fno-builtin-memset -fstack-protector-\
all -o /tmp/ccmOShia.s
Unfortunately the onslaught was over before I could trace the process
ids to the ancestor process.
I then checked the sanity of my SSH installation:
$ sudo rpm -qf /usr/bin/ssh
openssh-clients-5.8p2-16.fc16.1.x86_64
$ sudo rpm -V openssh-clients
5S.T..... c /etc/ssh/ssh_config
5S....... /usr/bin/ssh
5S.T..... /usr/bin/ssh-add
$ sudo rpm -qf /usr/sbin/sshd
openssh-server-5.8p2-16.fc16.1.x86_64
$ sudo rpm -V openssh-server
5S.T..... c /etc/ssh/sshd_config
5S.T..... /usr/sbin/sshd
I also downloaded openssh-clients-5.8p2-16.fc16.1.x86_64.rpm from the
net and compared files:
$ diff /etc/ssh/ssh_config etc/ssh/ssh_config
26a27,30
> # GSSAPIAuthentication no
> # GSSAPIDelegateCredentials no
> # GSSAPIKeyExchange no
> # GSSAPITrustDNS no
46a51
> GSSAPIAuthentication yes
$ ls -l /usr/bin/ssh usr/bin/ssh
-rwxr-xr-x 1 root root 392464 Jul 25 10:47 /usr/bin/ssh
-rwxr-xr-x 1 marko marko 434288 Jul 25 10:47 usr/bin/ssh
Notice how the time stamps are identical but the sizes are significantly
different.
Complete rpm -Va findings attached.
I have no idea how the intrusion took place. The only possibilities that
come to mind are the SSH server, which is open to the world, or
something hidden in a Fedora rpm.
Marko
Back to comp.security.ssh | Previous | Next — Next in thread | Find similar
SSH intrusion in Fedora 16 Marko Rauhamaa <marko@pacujo.net> - 2011-12-20 14:33 +0200
Re: SSH intrusion in Fedora 16 Bit Twister <BitTwister@mouse-potato.com> - 2011-12-20 13:06 +0000
Re: SSH intrusion in Fedora 16 all mail refused <elvis-85496@notatla.org.uk> - 2011-12-21 11:58 +0000
Re: SSH intrusion in Fedora 16 Bit Twister <BitTwister@mouse-potato.com> - 2011-12-21 12:22 +0000
Re: SSH intrusion in Fedora 16 Marko Rauhamaa <marko@pacujo.net> - 2011-12-21 14:39 +0200
csiph-web