SANS ISC: Internet Security | DShield

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

For the last couple of days we've been all witnesses of FUD surrounding a supposed 0-day exploit for OpenSSH skyrocketing.

At this moment, it definitely looks like we're dealing with a hoax – even more, it's not the first time someone said they have a 0-day exploit for SSH. So, let's see some facts about this.

It appears that the whole story started after a post to the Full-Disclosure mailing list on the 4th of July (http://seclists.org/fulldisclosure/2009/Jul/0028.html). The post supposedly shows a hacker group using a 0-day exploit for SSH to compromise a server. After doing some research here, it appears that this is a long standing argument between two guys (or groups). One of our readers submitted the following URL address (http://flx.me/astahack2.txt), which shows another hack.

The "exploit" used in that file is a brute force attack for sure, as can be seen below:

anti-sec:~/pwn/xpl# ./openPWN -h 66.96.220.213 -p 2222 -l=users.txt

See the "-l" option? That supplies the list of users it will try to brute force.
Additionally, a bit below it even prints which user was hacked:

       [~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

       user: crownvip
       uname: Linux srv01.webhostline.com
2.6.21.5-hostnoc-3.1.7-libata-grsec-32 #1 SMP Mon Feb 11 06:36:58 EST 2008 i686 i686 i386 GNU/Linux

Now, what has been posted on the Full-Disclosure list (the supposed
exploit) looked like this:

anti-sec:~/pwn/xpl# ./0pen0wn -h xx.yy.143.133 -p 22

Same group, same server, same directory – different file name. Why didn't they use the mighty 0-day first time? They brute forced into the server and then had to jail break.
This looks very much like a hoax to me – and this is the only evidence we have about a 0-day? A post from an anonymous e-mail address (hushmail) to the Full-Disclosure mailing list (which, we all have to admit, isn't the best source of verified information)? And this was even enough for some web hosting companies to *shut down* their SSH service? I find this unbelievable.

Finally, OpenSSH developers would probably agree with me – one of the developers sent an e-mail to the Openssh-unix-dev mailing list (http://lwn.net/Articles/340483/) also stating the obvious.

So, I'd like to ask everyone not to spread the FUD anymore. Every piece of evidence we received so far points only to brute force attacks on SSH servers (which have been around for years!). Do keep an eye on your server and install all patches. We will post more information if we receive it, but until then I think there was enough of this FUD.

--
Bojan