Cron sshd attack?

Vigox63 · Jan 19, 2012

Hello, I've received an attack on my server on ssh port, apparently using cron by remote. The intruder is successfully entered in my system as Super-user, (this server is empty, just for pen-testing) and reset my .authlog and changed privileges on .secure to read. I've noticed it thanks to multitail program that was running a real time scanning of both files

. Is this reasonably possible? How? I was using ssh 2.0.

Thanks

gkontos · Jan 19, 2012

Hi,

Could you please provide a little audit trail so that we can follow better on what has happened?

Regards

SirDice · Jan 19, 2012

Vigox63 said:
The intruder is successfully entered in my system as Super-user, (this server is empty, just for pen-testing)

This is not allowed by default for this very reason. Turn root logins back off!

Is this reasonably possible? How?

Your account was most likely bruteforced. There are hundreds of scans being done at any given moment. Just because it's a test server this doesn't mean you don't have to take precautions when hooking up a system to the internet.

Vigox63 · Jan 19, 2012

Sure!

Code:

10 20:00:09 justitia sshd[28529]: Failed password for root from 180.186.72.53 port 35005 ssh2
Jan 10 20:00:09 justitia sshd[30189]: Received disconnect from 180.186.72.53: 11: Bye Bye
Jan 10 20:00:16 justitia sshd[1045]: Failed password for root from 180.186.72.53 port 35215 ssh2
Jan 10 20:00:16 justitia sshd[26661]: Failed password for root from 180.186.72.53 port 35215 ssh2
Jan 10 20:00:16 justitia sshd[1045]: Received disconnect from 180.186.72.53: 11: Bye Bye
Jan 10 20:00:22 justitia sshd[27986]: Failed password for root from 180.186.72.53 port 35560 ssh2
Jan 10 20:00:22 justitia sshd[17577]: Failed password for root from 180.186.72.53 port 35560 ssh2
Jan 10 20:00:23 justitia sshd[27986]: Received disconnect from 180.186.72.53: 11: Bye Bye
Jan 10 20:00:30 justitia sshd[11210]: Failed password for root from 180.186.72.53 port 35904 ssh2
Jan 10 20:00:30 justitia sshd[13893]: Failed password for root from 180.186.72.53 port 35904 ssh2
Jan 10 20:00:30 justitia sshd[11210]: Received disconnect from 180.186.72.53: 11: Bye Bye
Jan 10 20:00:42 justitia sshd[7100]: Connection closed by 180.186.72.53
Jan 11 07:52:48 justitia sshd[7593]: Server listening on :: port 22.
Jan 11 07:52:48 justitia sshd[7593]: Server listening on 0.0.0.0 port 22.
Jan 11 19:44:58 justitia sshd[25594]: Did not receive identification string from 119.59.121.72
Jan 11 19:49:33 justitia sshd[3508]: Invalid user cron from 119.59.121.72
Jan 11 19:49:33 justitia sshd[14892]: input_userauth_request: invalid user cron
Jan 11 19:49:33 justitia sshd[14892]: Failed password for invalid user cron from 119.59.121.72 port 38995 ssh2
Jan 11 19:49:33 justitia sshd[3508]: Failed password for invalid user cron from 119.59.121.72 port 38995 ssh2
Jan 11 19:49:33 justitia sshd[14892]: Received disconnect from 119.59.121.72: 11: Bye Bye
Jan 12 00:00:01 justitia newsyslog[21228]: logfile turned over
tail:
/var/log/authlog has been replaced, reopening.
Jan 12 00:00:01 justitia newsyslog[21228]: logfile turned over

Note that :

1) Multilink was turned off
2) Privileges on authlog and secure was altered
3) Some other privilege of super user was altered, but as soon as I saw the attack I've disconnected it from internet.

Vigox63 · Jan 19, 2012

Thanks I've posted some code but can't see it for now. Anyway root access was disabled from sshd.

SirDice · Jan 19, 2012

Then they probably bruteforced some user account. If that user account has full sudo(8) access your attacker will have it too. Remember, they bruteforced the password to get in, that means they can also use sudo(8) if it's been configured for that account.

You didn't state which version of FreeBSD you have but if you had telnet enabled they may have used a, relatively recent, security vulnerability.

http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc

As a postmortem analysis, have a look at root's command history. They sometimes forget to clear it and it'll give you some insight in what your attacker may have done.

Vigox63 · Jan 19, 2012

This was last log file:

Code:

10 20:00:09 justitia sshd[28529]: Failed password for root from 180.186.72.53 port 35005 ssh2
Jan 10 20:00:09 justitia sshd[30189]: Received disconnect from 180.186.72.53: 11: Bye Bye
Jan 10 20:00:16 justitia sshd[1045]: Failed password for root from 180.186.72.53 port 35215 ssh2
Jan 10 20:00:16 justitia sshd[26661]: Failed password for root from 180.186.72.53 port 35215 ssh2
Jan 10 20:00:16 justitia sshd[1045]: Received disconnect from 180.186.72.53: 11: Bye Bye
Jan 10 20:00:22 justitia sshd[27986]: Failed password for root from 180.186.72.53 port 35560 ssh2
Jan 10 20:00:22 justitia sshd[17577]: Failed password for root from 180.186.72.53 port 35560 ssh2
Jan 10 20:00:23 justitia sshd[27986]: Received disconnect from 180.186.72.53: 11: Bye Bye
Jan 10 20:00:30 justitia sshd[11210]: Failed password for root from 180.186.72.53 port 35904 ssh2
Jan 10 20:00:30 justitia sshd[13893]: Failed password for root from 180.186.72.53 port 35904 ssh2
Jan 10 20:00:30 justitia sshd[11210]: Received disconnect from 180.186.72.53: 11: Bye Bye
Jan 10 20:00:42 justitia sshd[7100]: Connection closed by 180.186.72.53
Jan 11 07:52:48 justitia sshd[7593]: Server listening on :: port 22.
Jan 11 07:52:48 justitia sshd[7593]: Server listening on 0.0.0.0 port 22.
Jan 11 19:44:58 justitia sshd[25594]: Did not receive identification string from 119.59.121.72
Jan 11 19:49:33 justitia sshd[3508]: Invalid user cron from 119.59.121.72
Jan 11 19:49:33 justitia sshd[14892]: input_userauth_request: invalid user cron
Jan 11 19:49:33 justitia sshd[14892]: Failed password for invalid user cron from 119.59.121.72 port 38995 ssh2
Jan 11 19:49:33 justitia sshd[3508]: Failed password for invalid user cron from 119.59.121.72 port 38995 ssh2
Jan 11 19:49:33 justitia sshd[14892]: Received disconnect from 119.59.121.72: 11: Bye Bye
Jan 12 00:00:01 justitia newsyslog[21228]: logfile turned over
tail:
/var/log/authlog has been replaced, reopening.
Jan 12 00:00:01 justitia newsyslog[21228]: logfile turned over

Vigox63 · Jan 19, 2012

Ok, but..HOW they can bruteforce an account through ssh? My last logs reports thousands of dictionary attacks, I really doubt that with them it is possible to enter. I've heard that with cron from remote you can execute arbitrary code in a remote machine, but can't understand how. Now if I try to enter my server from another of my host with ssh it appear the ssh public key warning too.

SirDice · Jan 19, 2012

Vigox63 said:
Ok, but..HOW they can bruteforce an account through ssh?

Having accounts with easily guessed passwords would do the trick.

My last logs reports thousands of dictionary attacks, i really doubt that with them it is possible to enter.

That's why tools like security/sshguard exist. And yes, it's possible. Hundreds of machines are hacked on a daily basis this way. Why else do you think they scan for it?

I've hear that with cron from remote you can execute arbitrary code in a remote machine, but can't understand how.

Cron is not network accessible and a cron user account doesn't exist. So, no, this is not possible.

Now if i try to enter my server from another of my host with ssh it appear the ssh public key warning too.

Your server got pwn3d. You can't trust anything on it anymore. Take it offline, wipe it completely and reinstall.

Vigox63 · Jan 19, 2012

SirDice said:
Then they probably bruteforced some user account. If that user account has full sudo(8) access your attacker will have it too. Remember, they bruteforced the password to get in, that means they can also use sudo(8) if it's been configured for that account.

You didn't state which version of FreeBSD you have but if you had telnet enabled they may have used a, relatively recent, security vulnerability.

http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc

As a postmortem analysis, have a look at root's command history. They sometimes forget to clear it and it'll give you some insight in what your attacker may have done.

Thanks. the .secure file is no more read by superuser, only by root, but nothing strange is changed over there (maybe they've deleted some). Last report was made made cron username, I can't post the code, wating for moderators, but the lookup at the IPs said to me all were made from Bejing, China, ISP BEIJING TIMES TELECOM ENGINEERING CORPORATION LIMITED

Vigox63 · Jan 19, 2012

eheh, thanks I know it was pawn3d

but I want to try to understand how. Doubting on dictonary attack for a simple reason: my password, was really hard to crack with a simple dictionary, and telling the true, my last OS was not exactly ~~Freebsd~~ FreeBSD, but OpenBSD 3.6 (old version that supports poweredge 2650 rack)

DutchDaemon · Jan 19, 2012

If we're talking about an OpenBSD system this topic simply does not belong here, and you should have asked this question at an OpenBSD forum. We have limited scope and limited resources, we can't support every *BSD out there.

SirDice · Jan 19, 2012

Vigox63 said:
Doubting on dictonary attack for a simple reason: my password, was really hard to crack with a simple dictionary

You might be in for a surprise. But, who said they broke into your account? If there are other accounts on the machine they may have cracked those.

Or perhaps they used some other way to get in, a broken or misconfigured web application perhaps?

gkontos · Jan 19, 2012

Vigox63 said:
eheh, thanks I know it was pawn3d but I want to try to understand how. Doubting on dictonary attack for a simple reason: my password, was really hard to crack with a simple dictionary, and telling the true, my last OS was not exactly ~~Freebsd~~ FreeBSD, but OpenBSD 3.6 (old version that supports poweredge 2650 rack)

So, is this a FreeBSD box? If yes then please specify the version.

Going through /var/log/messages should show you which user performed a sudo operation.

tesla · Jan 19, 2012

I would suggest changing the default ssh port, it cut down 90% of these bruteforce attacks on my end, but the ip you reported is hacking a whole bunch of servers out there.. Most of these attacks seem to be coming from China

Vigox63 · Jan 20, 2012

Thanks to all for the reply.

@SirDice and gKontos: I've got only FreeBSD on this machine with only ssh port open. No web application or other thighs.

@tesla: Thanks, I would like to use ssh port to enforce his implementation and OpenBSD, that is based on FreeBSD (but it's all in crypto, not just port 22). Yes a lot of attacks I've received were from China, and I think they have stolen my pass with some various Android application like "connectbox" or others. For my personal opinion, all the attacks were based on a ssh weakness or a man in the middle attack with trojan horse through android. A friend of mine has recently been hacked in his hotmail account, because he always access through android at these apps, and he found, when sending email, that who was receiving the email , at the bottom, found a lot of chinese characters (html code injection)and a web site with this link (http://www.iteasypass.com/). Someone that would impersonate some sort of cisco online class (I'm in Cisco here in Europe but i didin't know that in China Cisco release CCNA/CCNP certifications). After resetting his smartphone and changing the hotmail pass, no more china html was present.

So be careful with Android, it seems that Bejing and their hackers team are very interested in these apps, they are all trojans.

DutchDaemon · Jan 20, 2012

Vigox63 said:
OpenBSD, that is based on FreeBSD

Ouch. Ehm no. If OpenBSD is based on anything, it's NetBSD.

So be careful with Android, it seems that Bejing and their hackers team are very interested in these apps, they are all trojans.

This should be common knowledge to anyone using Android Market, really. There are a lot of dodgy applications there, and the attitude you really don't want is "Oh, that looks nice, I'll just install and run it." That is really asking for trouble. Be critical and discerning with Android apps. It's not the FreeBSD ports tree with its carefully maintained history and security record.

SirDice · Jan 20, 2012

DutchDaemon said:
Be critical and discerning with Android apps.

I'd even go a little further. Be critical and discerning with any application regardless of the OS.

It's not the FreeBSD ports tree with its carefully maintained history and security record.

And even that screws up sometimes. Thread 19849

Vigox63 · Jan 20, 2012

DutchDaemon said:
Ouch. Ehm no. If OpenBSD is based on anything, it's NetBSD

It result me http://www.openbsd.org/ 4.4BSD-based UNIX-like operating system. Is it the same as NetBSD?

DutchDaemon · Jan 21, 2012

http://www.svbug.com/historybsd.html
http://www.svbug.com/historybsd2.html

Cron sshd attack?

Vigox63

gkontos

SirDice

Administrator

Vigox63

Vigox63

SirDice

Administrator

Vigox63

Vigox63

SirDice

Administrator

Vigox63

Vigox63

DutchDaemon

Administrator

SirDice

Administrator

gkontos

tesla

Vigox63

DutchDaemon

Administrator

SirDice

Administrator

Vigox63

DutchDaemon

Administrator