#1 (permalink)  
Old 11-12-2009, 11:49 AM
Registered User
 
Join Date: Jan 2006
Location: San Antonio, TX
Posts: 28
OffbeatAdam is on a distinguished road
Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2

Hello Everyone,

Fighting a bit of a nasty morning... anyone seen this before?

We have a number of servers that have password authentication disabled as well as shell access disabled for all users except those whom have keys. These servers run cPanel and have been updated to the following specs:

2.6.18-164.el5PAE #1 SMP Thu Sep 3 04:10:44 EDT 2009 i686 i686 i386 GNU/Linux
openssh-4.3p2-36.el5_4.2

Early (around midnight-1am CST) this morning we had a widespread attack via an unknown vector. In the attack, the only thing that I can find is the following (IP blacked out, although it is the attackers' address):

Nov 12 04:31:22 sharedserver/sharedserver sshd[16083]: Received disconnect from 100.100.100.100: 11: No supported authentication methods available
Nov 12 04:32:14 sharedserver/sharedserver sshd[11265]: Received signal 15; terminating.
Nov 12 04:32:14 sharedserver/sharedserver sshd[16570]: Server listening on :: port 2.
Nov 12 04:32:14 sharedserver/sharedserver sshd[16570]: error: Bind to port 2 on 0.0.0.0 failed: Address already in use.
Nov 12 04:32:27 sharedserver/sharedserver sshd[16611]: Accepted password for root from 100.100.100.100 port 3630 ssh2
Nov 12 04:32:27 sharedserver/sharedserver sshd[16611]: pam_unix(sshd:session): session opened for user root by (uid=0)


The concerning part is that it obviously appears that there is someone reloading SSHD, but there is no successful login (at all) via shell prior to this.

This time corresponds with a modified sshd_config that then allows password authentication, whereby the user then logs in as root and has a good time, so to speak.

I know that the following vulnerability is out in the wild:

Linux Kernel 'sock_sendpage()' NULL Pointer Dereference Vulnerability

However, since the user never actually logged into the server from what I can see, I'm still searching for the real way that this occurred.

I have logs from these servers, if you need other information to possibly help track this down that is possible. I'm having a hard time finding the vector for this attack though...

Any assistance would be greatly appreciated.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 11-16-2009, 03:40 PM
Senior Member
 
Join Date: Jun 2005
Location: Area 51
Posts: 1,631
Spiral is on a distinguished road
Lightbulb

Without more information, the first thing I would check is /var/log/yum.log and look for recent 'ssh' or 'openssh' entries to make sure you didn't simply get an incoming system update.

Next, I'd take a bit closer look at both "secure" and "messages" and also the Apache access log files around the same period as what you quoted.

Irregardless as to whether the above turns up any additional information, it would be wise to do a complete and thorough security analysis to make sure you don't have any exploitable holes still open or compromises already made which you might not be aware.

Now regarding Certificates or Password Authentication, that is not nearly as important as the above as using Password Authentication with a sufficiently long and completely randomized password is statistically about as secure as using certificates and there is little additional advantage either way though it usually won't hurt unless someone
or something comes and blows away your certificates but the same
could be said for the passwords as well.

Regarding your kernel you are a little behind on updates for CentOS or Redhat but not severely unless you are talking about manually compiled kernels which do go substantially further. For standard release, the current latest is 2.6.18-164.6.1 and you are only running 2.6.18-164 so
a kernel update might also be in order here.

If you need any assistance, please let know as this is in fact my particular area of expertise specifically. (server / network security)
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 11-21-2009, 02:04 PM
cPanel Partner NOC
cPanel Partner NOC Badge
 
Join Date: Jul 2005
Posts: 574
BianchiDude is on a distinguished road
He put this same post on linuxquestions.org.

Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2 - LinuxQuestions.org
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 12-10-2009, 12:45 PM
Registered User
 
Join Date: Jun 2009
Location: In the heart of obama.
Posts: 28
BareckObama is on a distinguished road
Is it cpanel chkservd restarting it? However the ip 100.100.100.100 is strange.
Quote:
Originally Posted by OffbeatAdam View Post
Hello Everyone,

Fighting a bit of a nasty morning... anyone seen this before?

We have a number of servers that have password authentication disabled as well as shell access disabled for all users except those whom have keys. These servers run cPanel and have been updated to the following specs:

2.6.18-164.el5PAE #1 SMP Thu Sep 3 04:10:44 EDT 2009 i686 i686 i386 GNU/Linux
openssh-4.3p2-36.el5_4.2

Early (around midnight-1am CST) this morning we had a widespread attack via an unknown vector. In the attack, the only thing that I can find is the following (IP blacked out, although it is the attackers' address):

Nov 12 04:31:22 sharedserver/sharedserver sshd[16083]: Received disconnect from 100.100.100.100: 11: No supported authentication methods available
Nov 12 04:32:14 sharedserver/sharedserver sshd[11265]: Received signal 15; terminating.
Nov 12 04:32:14 sharedserver/sharedserver sshd[16570]: Server listening on :: port 2.
Nov 12 04:32:14 sharedserver/sharedserver sshd[16570]: error: Bind to port 2 on 0.0.0.0 failed: Address already in use.
Nov 12 04:32:27 sharedserver/sharedserver sshd[16611]: Accepted password for root from 100.100.100.100 port 3630 ssh2
Nov 12 04:32:27 sharedserver/sharedserver sshd[16611]: pam_unix(sshd:session): session opened for user root by (uid=0)


The concerning part is that it obviously appears that there is someone reloading SSHD, but there is no successful login (at all) via shell prior to this.

This time corresponds with a modified sshd_config that then allows password authentication, whereby the user then logs in as root and has a good time, so to speak.

I know that the following vulnerability is out in the wild:

Linux Kernel 'sock_sendpage()' NULL Pointer Dereference Vulnerability

However, since the user never actually logged into the server from what I can see, I'm still searching for the real way that this occurred.

I have logs from these servers, if you need other information to possibly help track this down that is possible. I'm having a hard time finding the vector for this attack though...

Any assistance would be greatly appreciated.
__________________
James K
Ezeelogin - The ultimate multiple server administration & management software.
| Parallel shell | rm -rf protection |and much more..
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #5 (permalink)  
Old 12-10-2009, 02:43 PM
Registered User
 
Join Date: Sep 2006
Posts: 142
WebHostDog is on a distinguished road
Upgrade your kernel. It is vulnerable.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is this correct in my sshd_config screege cPanel and WHM Discussions 1 09-13-2009 01:58 PM
cppop went away and got replaced by courier ebizindia Mail 2 06-14-2007 01:51 PM
cPanel + OpenVZ + CentOS 4.5 upgrade, SSH failure WK-Anthony cPanel and WHM Discussions 0 05-19-2007 04:46 PM
Hard drive needs to be replaced veronicabend cPanel and WHM Discussions 23 07-28-2006 03:46 PM
Error in sshd_config and cannot edit file MrL22 cPanel and WHM Discussions 6 07-27-2004 01:12 PM


All times are GMT -5. The time now is 12:46 PM.


Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
© cPanel Inc