Login   |   Secure Purdue > News

Critical SSH Issue Involving Education and Research Institutions

STEAM-ADVISORY NO. 2008082501
PURDUE UNIVERSITY SECURITY TEAM CIRT
Tuesday August 25 HH:MM:SS TZ YYYY

**** NOTICE ****
SSH Key Vulnerability exploitation affecting large numbers of research
and education institutions
****************

==OVERVIEW==
Starting in March of this year, a large number of research and education
systems have been compromised using stolen SSH keys.  The keys are used
to gain system access as an unprivileged user, and then local kernel
exploits are used to gain administrative access and install a rootkit
and gather more SSH keys.  STEAM-CIRT recommends that Linux system
administrators check their machines for signs of compromise using the
details and methods described below.

==SYSTEMS AFFECTED==
Linux systems using SSH

Some versions known to have been compromised:

Kernel: 2.6.22.7-57.fc6
Kernel: 2.6.22.1-32.fc6
Kernel: 2.6.22.14-72.fc6
Kernel: 2.6.22.9-61.fc6
Kernel: 2.6.20-1.2962.fc6
Kernel: 2.6.22.9-61.fc6
Kernel: 2.6.22.9-61.fc6
Kernel: 2.6.22.14-72.fc6
Kernel: 2.6.9-67.0.15 (SL4)
Kernel: 2.6.9-67.0.20 (SL4)
Fedora-Core-4/2.6.17-1.2142_FC4
Fedora-Core-3/2.6.12-2.3.legacy_FC3smp
Suse 10.0 kernel 2.6.13-15-default

Most of the discovered root exploits affect old/unpatched kernels

==DETAILS==
So far, the attacks have concentrated on clustered research machines,
likely due to method of infection using trusted SSH keys most commonly
used in those environments.  So far, the following IP addresses are
known to have been used to login by the intruders or to drop the phalanx
rootkit or other tools.  System administrators should check their SSH
access logs and any other records for signs of communications with these
machines.  Communication with these hosts should be considered highly
suspicious.  STEAM-CIRT is also reviewing network flow records and will
notify PSCs if any flows to Purdue hosts are found.

AS      | IP Address       | Description
8000    | 207.206.202.54   | DWX-AS - Waddell Digital Imaging Center
8000    | 207.206.215.122  | DWX-AS - Waddell Digital Imaging Center
209     | 207.224.215.94   | ASN-QWEST - Qwest
209     | 209.181.138.229  | ASN-QWEST - Qwest
209     | 209.181.131.209  | ASN-QWEST - Qwest
8015    | 208.42.23.94     | VISI-AS - Vector Internet Services, Inc.
812     | 99.236.185.205   | ROGERS-CABLE - Rogers Cable Communications
812     | 99.237.220.123   | ROGERS-CABLE - Rogers Cable Communications
8015    | 208.42.23.94     | VISI-AS - Vector Internet Services, Inc.
10430   | 216.186.49.132   | WA-K20 - Washington State K-20 [...]
7132    | 75.60.89.233     | SBIS-AS - AT&T Internet Services
852     | 136.159.55.31    | ASN852 - Telus Advanced Communications


==SOLUTIONS==
A tool exists that will detect suspicious SSH keys and may help
determine if a system has been compromised. It may be downloaded from

***LINK NO LONGER AVAILABLE***


You may want to check any linux machines you have for these common
attack patterns:

- disabling command line history logging with
    export HISTFILE=/dev/null
  or
    unset HISTFILE,


- starting out intrusions with a set of brief noninteractive logins
  across multiple candidate systems that scout out the systems,
  typically running "id", "w", "uname -a", "mount" and similar, before
  choosing a target host and trying to root it


- trying to use nfsshell to get elevated write privileges over NFS


- logging in using "ssh <host> /bin/sh -i" or "ssh <host> /bin/bash -i",
  rather than just "ssh <host>".

Artefacts found on compromised hosts:

~  .p2rc       some sort of config file setting aliases for copying
~              stuff by ssh and with ssh-keys provided
~  .phalanx2   loader of the rootkit and probably backdoor
~  .sniff      sniffer log
~  sshgrab.py  python script for collecting ~/.ssh dirs and shell


==FURTHER INFORMATION AND RESOURCES==

http://hep.uchicago.edu/admin/report_072808.html


==STEAM-CIRT CONTACT INFORMATION==

For questions concerning this advisory, please send email to:
 itap-securityhelp@purdue.edu.

Report computer-related abuse to steam-cirt:
 http://www.purdue.edu/securePurdue/incidentReportForm.cfm

http://www.purdue.edu/securepurdue/steam

Posted by William Davis on August 26, 2008, in Advisory Alerts.