Mailinglist Archive: opensuse-security (14 mails)

< Previous Next >
[opensuse-security] Break-in via ftp and tomcat accounts
  • From: Bob Vickers <bobv@xxxxxxxxxxxxx>
  • Date: Wed, 3 Nov 2010 17:16:01 +0000 (GMT)
  • Message-id: <alpine.LNX.2.00.1011031621430.16558@xxxxxxxxxxxxxxxxxxxxx>
Hello All,

We recently suffered a rather puzzling intrusion on an OpenSUSE 11.3 workstation and I wondered whether anyone else had seen anything similar.

This computer allowed (it doesn't any more) ssh access from anywhere in the world, and anyone with this set-up expects to see lots of failed login attempts in the log.

On 24th Sept one of these attacks was taking place and generated the worrying message
sshd[26712]: Accepted password for ftp from 221.6.15.150 port 60041 ssh2

A couple of days later there were a whole bunch of them. It seems that all the system accounts had become open.
sshd[12088]: Accepted password for tomcat from 69.143.190.100 port 62729 ssh2
sshd[12130]: Accepted password for ftp from 69.143.190.100 port 63316 ssh2
sshd[12166]: Accepted password for postfix from 69.143.190.100 port 63739 ssh2
sshd[12192]: Accepted password for mysql from 69.143.190.100 port 60222 ssh2
sshd[12292]: Accepted password for nobody from 69.143.190.100 port 62565 ssh2
sshd[12336]: Accepted password for wwwrun from 69.143.190.100 port 63245 ssh2
sshd[12350]: Accepted password for news from 69.143.190.100 port 63501 ssh2
sshd[12382]: Accepted password for games from 69.143.190.100 port 63864 ssh2
sshd[12414]: Accepted password for mail from 69.143.190.100 port 60051 ssh2
sshd[12450]: Accepted password for sshd from 69.143.190.100 port 60814 ssh2
sshd[12460]: Accepted password for bin from 69.143.190.100 port 61108 ssh2
sshd[12490]: Accepted password for daemon from 69.143.190.100 port 61467 ssh2
sshd[12520]: Accepted password for lp from 69.143.190.100 port 61779 ssh2
sshd[12556]: Accepted password for uucp from 69.143.190.100 port 62212 ssh2
sshd[12981]: Accepted password for mysql from 69.143.190.100 port 60149 ssh2
sshd[12999]: Accepted password for ftp from 69.143.190.100 port 60514 ssh2
sshd[13073]: Accepted password for mysql from 69.143.190.100 port 61914 ssh2
sshd[13093]: Accepted password for sshd from 69.143.190.100 port 62346 ssh2
sshd[13220]: Accepted password for wwwrun from 69.143.190.100 port 60966 ssh2
sshd[13228]: Accepted password for news from 69.143.190.100 port 61196 ssh2
sshd[13258]: Accepted password for lp from 69.143.190.100 port 61497 ssh2
sshd[13288]: Accepted password for mail from 69.143.190.100 port 61830 ssh2
sshd[13294]: Accepted password for bin from 69.143.190.100 port 61916 ssh2
sshd[13324]: Accepted password for postfix from 69.143.190.100 port 62245 ssh2
sshd[13332]: Accepted password for at from 69.143.190.100 port 62362 ssh2

None of these accounts have passwords in /etc/shadow and none of them have null strings either. So it seems to me the most likely culprit was a misconfiguration in sshd or PAM or LDAP (in nsswitch.conf we have

passwd: compat
group: compat
shadow: compat
passwd_compat: ldap
group_compat: ldap
shadow_compat: ldap

and also we have
/etc/shadow:+::0:0:0::::
/etc/shadow:+::0:0:0::::
/etc/passwd:+:::::/nonexistent:/usr/local/etc/restricted-machine
)

The machine has been rebooted with a new kernel since then and I cannot ssh to those accounts, so I am hoping the vulnerability is no longer present. But has anyone else ever seen anything similar?

Regards,
Bob

==============================================================
Bob Vickers R.Vickers@xxxxxxxxxxxxx
Dept of Computer Science, Royal Holloway, University of London
WWW: http://www.cs.rhul.ac.uk/home/bobv
Phone: +44 1784 443691
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups