The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Possible SSH Compromise - Is OpenSSH VULN!?!

Discussion in 'General Discussion' started by jackie46, May 5, 2006.

  1. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    In openssh-3.6.1p2-33.30.6 vulnarable? This is the version of Openssh on my RHEL3 server.

    When we secured the box, we moved ssh to another port and disabled root logins. We moved it to port 7755 lets say and enabled SSH 2 and disabled root logins.

    When we attempted to login to the server today, on port 7755, we noticed we could not login. Trying repeatedly gave us the same denied login error. Baffled as to why, we tried port 22 and low and behold the login was successful. Also, the last repoted login shows nothing, just blank. It used to always show the last reported logged in user. STRANGE!

    Upon investigation we find that sshd_config has been reset to port 22 by
    sombodoy on April 12. It was not us. Everthing in sshd_config has been commented out.

    It used to look like this;

    Port 7755
    Protocol 2
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    Now it looks like this;

    #Port 7755
    #Protocol 2,1
    #ListenAddress 0.0.0.0
    #ListenAddress ::

    I scoured 4 weeks of log and cannot find the point of entry and the box is
    clean. There is no evidence of a root but ssh has been set back to to port 22, very odd.

    Yes we have many many people pounding port 22 over 1,900 yesterday according to logwatch, None of our users have SSH access.

    I looked at /etc/password and counted up all the valid users accounts in the password file which comes 50 valid accounts. In whm the number of valid users setup is 49. That means there is one extra account in /etc/password unaccounted for. I looked again then i found it.

    It this line, the second to last entry in /etc/passwd, sshd:x:32052:32052::/home/sshd:/bin/bash thats pointing to /home and /bin/bash.

    I looked in /home and found a /home/sshd account with only 3 files in them

    drwx------ 2 sshd sshd 4096 Mar 20 04:52 ./
    drwx--x--x 53 root root 4096 Apr 24 09:26 ../
    -rw-r--r-- 1 sshd sshd 24 Mar 20 04:52 .bash_logout
    -rw-r--r-- 1 sshd sshd 191 Mar 20 04:52 .bash_profile
    -rw-r--r-- 1 sshd sshd 124 Mar 20 04:52 .bashrc

    Which doesnt make sense since we did not create this account and its not in
    WHM.

    In the /etc/passwd file i find an entry, second from the last for sshd that
    looks like this.

    sshd:x:32052:32052::/home/sshd:/bin/bash
    promoart:x:32053:32053::/home/promoart:/usr/local/cpanel/bin/noshell

    Can anyone verify that sshd should be pointing to /bin/bash? It doesnt look right to me.

    I compared that sshd account with another one of our RHEL3 boxes and it looks
    very different. On that box sshd looks like this;

    sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

    Can i simply modify this using vipw to point back to the proper directory or can i remove it?

    The box is as clean as a whisle, if sombody did get root why did they not root the server completely?
     
    #1 jackie46, May 5, 2006
    Last edited: May 5, 2006
  2. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    I was looking at the possiblity that somebody used the USERHELP vuln that was found in RH 6.x so many years ago to esculate themselves to root level access.

    I do not see this on any other RHEL3 server but i see it at 4:37am everyday. I dont know where it coming from since there is no cron in /etc/cron.daily that i can see that executing it but it does run everyday. As i said i see it in the secure log file.

    Anyone know what this is?

    Apr 30 04:37:24 server userhelper[2793]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'
    Apr 30 04:37:24 server userhelper[2797]: running '/usr/sbin/up2date --nox -i bind bind-devel bind-utils bzip2 expect freetype freetype-devel gcc gd gd-devel gd-progs gd-utils gnupg libgd1 libgd1-devel libmysqlclient10-dev lynx openssh openssh-clients openssh-server openssl openssl-devel openssl-misc perl-CPAN pine sharutils ucd-snmp ucd-snmp-devel ucd-snmp-utils wget XFree86-devel XFree86-libs' with root privileges on behalf of 'root'
    Apr 30 04:37:28 server userhelper[2808]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'
    Apr 30 04:37:28 server userhelper[2812]: running '/usr/sbin/up2date --nox -u' with root privileges on behalf of 'root'
    A
     
  3. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Well? Does any have any idea?
     
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    This wasn't an update to ssh was it?
     
  5. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Not at all.
     
  6. Parcye

    Parcye Well-Known Member

    Joined:
    May 19, 2004
    Messages:
    56
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Eindhoven
    Sorry for the huge kick, but I now have the same problem. Every day this gets run and the server becomes unreachable via http, mai, ftp, ssh but is still responsing to pings.
     
Loading...

Share This Page