lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 23 Sep 2011 10:09:46 -0400
From: Valdis.Kletnieks@...edu
To: BH <lists@...ckhat.bz>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: sshd logins without a source

On Fri, 23 Sep 2011 11:45:35 +0800, BH said:
> Hi,
> 
> I am taking a look at a few different servers that have been rooted at
> around the same time. At the time of the compromise I can see in each
> servers sshd logs an entry like the following:
> 
> Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session
> opened for user root by (uid=0)
> Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session
> closed for user root

Well, my first guess is the guys managed to wipe some but not all the
log entries, using anything from sed to perl to cat to.. ;)  But if you need
alternate theories, here's one (untested) one for you:

At least at one time, it was possible (though discouraged) to launch sshd from
inetd, rather than having an sshd running all the time.  In that case, inetd would
catch the incoming connection, and spawn an sshd with file descriptors 0,1,2
pre-connected to the socket.  That code path may have assumed that inetd
would have done the connection logging and thus not logged it.

This would impliy that either the attacker got an sshd entry into inetd.conf,
or that he got code executed on the machine in ohther ways, and then fork/
exec'ed an ssh the same way inetd would (which would be odd, as fork/exec'ing
/bin/bash would be a lot more productive ;)

Of course, I haven't had my caffeine yet, so... ;)

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ