lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1316772351.97561.YahooMailNeo@web110810.mail.gq1.yahoo.com>
Date: Fri, 23 Sep 2011 03:05:51 -0700 (PDT)
From: Bacanu Adrian-Daniel <darkzatarra@...oo.com>
To: BH <lists@...ckhat.bz>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: sshd logins without a source

Hi,

Your problem is related to a sshd sniffer. It is another implementation of the usually sshd server which does not logs anything and uses the same port 22 (as default) but it can also be changed.

You are trying to solve the problem or to reproduce the "attack"?

If you choose the first part you can track the intruder when he is logged on by netstat command. If you try to get its ip from any default log (system or daemon) your work will be in van. If you try to get rid of it try to reinstall the sshd server or change the sshd_config file. There are also few tricks to get rid of such situations, but they are a lil bit complicated.

If you are trying to reproduce the "attack" you have to implement a preconfigured sshd server. I already did such a thing and it worked almost perfectly, there are still few actions that can be hidden only by scripting. It is not such a hard thing to do. If you really want to catch all the steps try implement a honeypot on one of your test servers.

I wish you good luck,

 
---------------------------------
Adrian-Daniel Bãcanu
---------------------------------


________________________________
From: BH <lists@...ckhat.bz>
To: full-disclosure@...ts.grok.org.uk
Sent: Friday, September 23, 2011 4:45 AM
Subject: [Full-disclosure] sshd logins without a source

Hi,

I am taking a look at a few different servers that have been rooted at
around the same time. At the time of the compromise I can see in each
servers sshd logs an entry like the following:

Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session
opened for user root by (uid=0)
Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session
closed for user root

Each of the servers has the same sort of entry in the log that match
with the time that extra processes were being executed. Having a look at
all other available logs (that were logged remotely) I can't see
anything else that relates to the same event. To me it seems odd that
there is no IP address corresponding with the login, I can't seem to
reproduce that on my test servers. I also can't see the authentication
method used as that isn't logged. Has anyone seen this before and know
how this is done?

Thanks

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ