The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

openssh-3.6.1p2 bugs

Discussion in 'General Discussion' started by Gbudiman, Jul 11, 2004.

  1. Gbudiman

    Gbudiman Member

    Joined:
    Mar 17, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Indonesia
    My servers has been compromized trough the openSSH (sshd).

    So many reports about it in the net. They use http://packetstormsecurity.nl/UNIX/patches/openssh-3.6.1p2-backdoor.patch.gz and get a mess in my servers :( .

    I try to upgrade my openSSH to openssh-3.8p1.tar.gz, but it can't run :confused:

    Anyone know why CPnael still use the old version? are they don't know about it? there are no security news from cpanel about it....

    OR

    Anyone can help me with this mess?

    Regard,

    Gerald AB
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    How do you know you were hacked through openSSH? If you're referring to the RHE rpm of openSSH openssh-3.6.1p2, then, AFAIK, it has all the security patches back-ported into it and should certainly not be vulnerable.
     
  3. Gbudiman

    Gbudiman Member

    Joined:
    Mar 17, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Indonesia
    Prob resolved but not done yet...

    How do i know....
    #1. get a mess in my servers (installing psybncS, eggdropS, and backdoorS in some unbeliveable locations like /var/spool/vbox, etc).
    #2. so many unexpected connections i got from LogWatch (scanning, connection fail...etc)
    #3. they (i think they, not he/she) keep trying to search some cgi script (now i get a rid of a movetabletype cgi script that allow bypassing SSL/openSLL to the shell REF: h++p://www.webhostingtalk.com/showthread.php?threadid=120332&perpage=15&pagenumber=1)

    here is the story begin:
    - they get a cgi script (movetabletype; the script is mt.cgi) in one of my client public area. they execute some misc codes trough it so they got shell acc eventhough the user didn't or /bin/false.
    - they download/upload some compressed files (lately i know it is as Loadable Kernel Module tarball. REF: securityfocus.com).
    - they install some backdoors (not just one) using unpredictable ports by infecting the openSSH 3.6.1p2 with backdoor patch REF: h++p://packetstormsecurity.nl/UNIX/patches/openssh-3.6.1p2-backdoor.patch.gz :eek: .

    - i've got so many notifications from sms-logwatch, LogWatch e-mail, and also by my eyes in the system.
    - i try to configure it. and here some of the result.....
    #1. try to upgrade the openSSH manually after there is no security update from cpanel. result: FAIL (it need openSSL update)
    #2. try to upgrade the openSSL. result: WORK but some of my clients (using postnuke) complain about they site's session failed. Postnuke using old authentication method in it session scripts.
    #3. SO... now the servers is fresh by the name of RELOAD system that cost US$70 each. :eek: . I'm suspending some accounts that infected by the intruders's misc scripts in they dirs.

    To be continuous

    I don't know... guest wich one of the Open (SSL or SSH) get the title (bugs wash) now?! or should i say the mod_ssl from the apache to? :rolleyes:
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I think you're miss-understanding something ;) They're installing a back-doored version of openSSH. The RH version is not vulnerable, the version that they're installing is. So, if they're getting root access, you need to be looking elsewhere.
     
  5. Gbudiman

    Gbudiman Member

    Joined:
    Mar 17, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Indonesia
    Yep... i'm agree... RH version is not vuln. Did you know that openSSH in Linux box is a porting version from openSSH for openBSD version? ;)

    FYI: #1. why cpanel choose it? #2. why the old version (openssh.org)? #3. nothing... :)

    REF: in my 3 boxs
    -----------------------
    root@<edit> [~]# rpm -qa | grep openssh
    openssh-server-3.6.1p2-33.30.1
    openssh-3.6.1p2-33.30.1
    openssh-clients-3.6.1p2-33.30.1
    openssh-askpass-3.6.1p2-33.30.1
    root@<edit> [~]# cat /proc/version
    Linux version 2.4.21-15.0.2.ELsmp (bhcompile@porky.build.redhat.com) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-35)) #1 SMP Wed Jun 16 22:52:07 EDT 2004
    root@<edit> [~]#

    ----------------------
    root@<edit> [~]# rpm -qa | grep openssh
    openssh-3.5p1-11
    openssh-server-3.5p1-11
    openssh-clients-3.5p1-11
    root@<edit> [~]# cat /proc/version
    Linux version 2.4.23 (root@cpanel01.dnspropio.com) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #2 SMP Fri Dec 12 22:33:14 CET 2003
    root@<edit> [~]#

    ----------------------
    root@<edit> [~]# rpm -qa | grep openssh
    openssh-3.6.1p2-33.30.1
    openssh-clients-3.6.1p2-33.30.1
    openssh-server-3.6.1p2-33.30.1
    root@<edit> [~]# cat /proc/version
    Linux version 2.4.21-4.ELsmp (bhcompile@daffy.perf.redhat.com) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-20)) #1 SMP Fri Oct 3 17:52:56 EDT 2003
    root@<edit> [~]#

    NO UPDATE (Event I choose the AUTOMATIC Update STABLE)..... :confused:
    Believe me.... It Nice to share here with you all guys! :)
     
    #5 Gbudiman, Jul 12, 2004
    Last edited: Jul 12, 2004
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    cPanel don't choose to use a particular version, in as much as it is provided by RedHat. RedHat nearly always prefer to patch an old stable version with security patches, rather than release the latest version of an application which may be instable. Another good example is kernels - RedHat's are nearly always relatively old, but will security patches back-ported for stability reasons.

    You can upgrade openssh if you want to, you just have to be careful when you do.

    Inceidentally, if you do a rpm -qi openssh you will probably see that openssh on RedHat Enterprise was rebuilt last in March 2004.
     
  7. yusenda1

    yusenda1 Registered

    Joined:
    Jul 11, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Indonesia
    Movable Type ?

    I've posted this information in Movable Type support forum here h++p://www.movabletype.org/support/index.php?act=ST&f=8&t=42989&, but the developer doesn't know anything about this bug.
    Can you elaborate further how this was done? Which version of MT involved ?
    I really need to know because your post here has made my webhoster delete my whole MT installation.

    Thanks!

    Philip Yusenda
     
  8. Gbudiman

    Gbudiman Member

    Joined:
    Mar 17, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Indonesia
    Are U missing something?

    Dear my bro Yusenda!

    I think you sould be more patient to not concluding something. The issue is not about MT!
    please read it more carefully....

    I hope this topic will be finished as soon as possible ;)
     
  9. yusenda1

    yusenda1 Registered

    Joined:
    Jul 11, 2004
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Indonesia
    Not me but my host

    Dear Sir,

    I can see the problem is with openssh, but my host does not. They practically evicted my blog (using MT) from their server and as the reason the refer to this post here. They keep on saying "the intrusion was caused by mt.cgi, see the post in cpanel forum" . So please sir, can you elaborate more on how do you conclude that mt.cgi was the entry point ? What Kind of "misc code" that you refer above ?

    I really like to use MT again but I don't want to be evicted again each time a webhoster read your post here.

    With crushed heart,

    Indonesian Hostless Blogger
     
    #9 yusenda1, Jul 15, 2004
    Last edited: Jul 15, 2004
  10. Gbudiman

    Gbudiman Member

    Joined:
    Mar 17, 2004
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Indonesia
    Privetely in your YM

    dear mr yusenda!

    you keep asking me about your mt.cgi in this cpanel forum i am indonesian too so i'll try to explain it clearly here with indonesian language.

    plaese login to your yahoo messenger!

    Regards
     
Loading...

Share This Page