Gbudiman

Member
Mar 17, 2004
5
0
151
Indonesia
My servers has been compromized trough the openSSH (sshd).

So many reports about it in the net. They use http://packetstormsecurity.nl/UNIX/patches/openssh-3.6.1p2-backdoor.patch.gz and get a mess in my servers :( .

I try to upgrade my openSSH to openssh-3.8p1.tar.gz, but it can't run :confused:

Anyone know why CPnael still use the old version? are they don't know about it? there are no security news from cpanel about it....

OR

Anyone can help me with this mess?

Regard,

Gerald AB
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
How do you know you were hacked through openSSH? If you're referring to the RHE rpm of openSSH openssh-3.6.1p2, then, AFAIK, it has all the security patches back-ported into it and should certainly not be vulnerable.
 

Gbudiman

Member
Mar 17, 2004
5
0
151
Indonesia
Prob resolved but not done yet...

chirpy said:
How do you know you were hacked through openSSH? If you're referring to the RHE rpm of openSSH openssh-3.6.1p2, then, AFAIK, it has all the security patches back-ported into it and should certainly not be vulnerable.
How do i know....
#1. get a mess in my servers (installing psybncS, eggdropS, and backdoorS in some unbeliveable locations like /var/spool/vbox, etc).
#2. so many unexpected connections i got from LogWatch (scanning, connection fail...etc)
#3. they (i think they, not he/she) keep trying to search some cgi script (now i get a rid of a movetabletype cgi script that allow bypassing SSL/openSLL to the shell REF: h++p://www.webhostingtalk.com/showthread.php?threadid=120332&perpage=15&pagenumber=1)

here is the story begin:
- they get a cgi script (movetabletype; the script is mt.cgi) in one of my client public area. they execute some misc codes trough it so they got shell acc eventhough the user didn't or /bin/false.
- they download/upload some compressed files (lately i know it is as Loadable Kernel Module tarball. REF: securityfocus.com).
- they install some backdoors (not just one) using unpredictable ports by infecting the openSSH 3.6.1p2 with backdoor patch REF: h++p://packetstormsecurity.nl/UNIX/patches/openssh-3.6.1p2-backdoor.patch.gz :eek: .

- i've got so many notifications from sms-logwatch, LogWatch e-mail, and also by my eyes in the system.
- i try to configure it. and here some of the result.....
#1. try to upgrade the openSSH manually after there is no security update from cpanel. result: FAIL (it need openSSL update)
#2. try to upgrade the openSSL. result: WORK but some of my clients (using postnuke) complain about they site's session failed. Postnuke using old authentication method in it session scripts.
#3. SO... now the servers is fresh by the name of RELOAD system that cost US$70 each. :eek: . I'm suspending some accounts that infected by the intruders's misc scripts in they dirs.

To be continuous

I don't know... guest wich one of the Open (SSL or SSH) get the title (bugs wash) now?! or should i say the mod_ssl from the apache to? :rolleyes:
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
I think you're miss-understanding something ;) They're installing a back-doored version of openSSH. The RH version is not vulnerable, the version that they're installing is. So, if they're getting root access, you need to be looking elsewhere.
 

Gbudiman

Member
Mar 17, 2004
5
0
151
Indonesia
chirpy said:
I think you're miss-understanding something ;) They're installing a back-doored version of openSSH. The RH version is not vulnerable, the version that they're installing is. So, if they're getting root access, you need to be looking elsewhere.
Yep... i'm agree... RH version is not vuln. Did you know that openSSH in Linux box is a porting version from openSSH for openBSD version? ;)

FYI: #1. why cpanel choose it? #2. why the old version (openssh.org)? #3. nothing... :)

REF: in my 3 boxs
-----------------------
[email protected]<edit> [~]# rpm -qa | grep openssh
openssh-server-3.6.1p2-33.30.1
openssh-3.6.1p2-33.30.1
openssh-clients-3.6.1p2-33.30.1
openssh-askpass-3.6.1p2-33.30.1
[email protected]<edit> [~]# cat /proc/version
Linux version 2.4.21-15.0.2.ELsmp ([email protected]) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-35)) #1 SMP Wed Jun 16 22:52:07 EDT 2004
[email protected]<edit> [~]#

----------------------
[email protected]<edit> [~]# rpm -qa | grep openssh
openssh-3.5p1-11
openssh-server-3.5p1-11
openssh-clients-3.5p1-11
[email protected]<edit> [~]# cat /proc/version
Linux version 2.4.23 ([email protected]) (gcc version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #2 SMP Fri Dec 12 22:33:14 CET 2003
[email protected]<edit> [~]#

----------------------
[email protected]<edit> [~]# rpm -qa | grep openssh
openssh-3.6.1p2-33.30.1
openssh-clients-3.6.1p2-33.30.1
openssh-server-3.6.1p2-33.30.1
[email protected]<edit> [~]# cat /proc/version
Linux version 2.4.21-4.ELsmp ([email protected]) (gcc version 3.2.3 20030502 (Red Hat Linux 3.2.3-20)) #1 SMP Fri Oct 3 17:52:56 EDT 2003
[email protected]<edit> [~]#

NO UPDATE (Event I choose the AUTOMATIC Update STABLE)..... :confused:
Believe me.... It Nice to share here with you all guys! :)
 
Last edited:

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,453
31
473
Go on, have a guess
cPanel don't choose to use a particular version, in as much as it is provided by RedHat. RedHat nearly always prefer to patch an old stable version with security patches, rather than release the latest version of an application which may be instable. Another good example is kernels - RedHat's are nearly always relatively old, but will security patches back-ported for stability reasons.

You can upgrade openssh if you want to, you just have to be careful when you do.

Inceidentally, if you do a rpm -qi openssh you will probably see that openssh on RedHat Enterprise was rebuilt last in March 2004.
 

yusenda1

Registered
Jul 11, 2004
2
0
151
Indonesia
Movable Type ?

- they get a cgi script (movetabletype; the script is mt.cgi) in one of my client public area. they execute some misc codes trough it so they got shell acc eventhough the user didn't or /bin/false.
I've posted this information in Movable Type support forum here h++p://www.movabletype.org/support/index.php?act=ST&f=8&t=42989&, but the developer doesn't know anything about this bug.
Can you elaborate further how this was done? Which version of MT involved ?
I really need to know because your post here has made my webhoster delete my whole MT installation.

Thanks!

Philip Yusenda
 

Gbudiman

Member
Mar 17, 2004
5
0
151
Indonesia
Are U missing something?

Dear my bro Yusenda!

I think you sould be more patient to not concluding something. The issue is not about MT!
please read it more carefully....

I hope this topic will be finished as soon as possible ;)
 

yusenda1

Registered
Jul 11, 2004
2
0
151
Indonesia
Not me but my host

Dear Sir,

I can see the problem is with openssh, but my host does not. They practically evicted my blog (using MT) from their server and as the reason the refer to this post here. They keep on saying "the intrusion was caused by mt.cgi, see the post in cpanel forum" . So please sir, can you elaborate more on how do you conclude that mt.cgi was the entry point ? What Kind of "misc code" that you refer above ?

I really like to use MT again but I don't want to be evicted again each time a webhoster read your post here.

With crushed heart,

Indonesian Hostless Blogger
 
Last edited:

Gbudiman

Member
Mar 17, 2004
5
0
151
Indonesia
Privetely in your YM

dear mr yusenda!

you keep asking me about your mt.cgi in this cpanel forum i am indonesian too so i'll try to explain it clearly here with indonesian language.

plaese login to your yahoo messenger!

Regards