[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#314645: /usr/sbin/sshd: time delay of password check proves account existence to attackers

I'm kind of out of time to do this test (I'd have to set up a special
machine for it), but here is some supplement information...

Interesting to note on this sample of log entries, real accounts 'greg'
and 'cheryl' are tested, no other 'first name' accounts are. On Jun 14,
a more random first-name list was attempted from the same IP address. It
appears that the bot came back with a more defined list built from its
first session.

Regards,

Greg

Jun 19 13:56:24 buster sshd[30500]: Failed password for mail from
140.109.33.37 port 47339 ssh2
Jun 19 13:56:27 buster sshd[30502]: Failed password for mail from
140.109.33.37 port 47531 ssh2
Jun 19 13:56:30 buster sshd[30504]: Failed password for mail from
140.109.33.37 port 47687 ssh2
Jun 19 13:58:40 buster sshd[30690]: Failed password for news from
140.109.33.37 port 53750 ssh2
Jun 19 13:58:43 buster sshd[30692]: Failed password for news from
140.109.33.37 port 53929 ssh2
Jun 19 13:58:46 buster sshd[30694]: Failed password for news from
140.109.33.37 port 54067 ssh2
Jun 19 13:59:23 buster sshd[30744]: Failed password for sshd from
140.109.33.37 port 55749 ssh2
Jun 19 13:59:26 buster sshd[30746]: Failed password for sshd from
140.109.33.37 port 55932 ssh2
Jun 19 13:59:30 buster sshd[30748]: Failed password for sshd from
140.109.33.37 port 56083 ssh2
Jun 19 14:07:20 buster sshd[31475]: Failed password for backup from
140.109.33.37 port 48315 ssh2
Jun 19 14:07:24 buster sshd[31477]: Failed password for backup from
140.109.33.37 port 48465 ssh2
Jun 19 14:07:27 buster sshd[31479]: Failed password for backup from
140.109.33.37 port 48599 ssh2
Jun 19 14:08:57 buster sshd[31609]: Failed password for nobody from
140.109.33.37 port 52531 ssh2
Jun 19 14:09:00 buster sshd[31611]: Failed password for nobody from
140.109.33.37 port 52656 ssh2
Jun 19 14:09:04 buster sshd[31613]: Failed password for nobody from
140.109.33.37 port 52770 ssh2
Jun 19 14:14:24 buster sshd[32100]: Failed password for mail from
140.109.33.37 port 38314 ssh2
Jun 19 14:14:26 buster sshd[32102]: Failed password for mail from
140.109.33.37 port 38468 ssh2
Jun 19 14:14:30 buster sshd[32104]: Failed password for mail from
140.109.33.37 port 38593 ssh2
Jun 19 14:26:49 buster sshd[797]: Failed password for sync from
140.109.33.37 port 41650 ssh2
Jun 19 14:26:52 buster sshd[799]: Failed password for sync from
140.109.33.37 port 41787 ssh2
Jun 19 14:26:55 buster sshd[801]: Failed password for sync from
140.109.33.37 port 41933 ssh2
Jun 19 14:28:37 buster sshd[947]: Failed password for cheryl from
140.109.33.37 port 46263 ssh2
Jun 19 14:28:40 buster sshd[949]: Failed password for cheryl from
140.109.33.37 port 46386 ssh2
Jun 19 14:28:43 buster sshd[951]: Failed password for cheryl from
140.109.33.37 port 46529 ssh2
Jun 19 14:30:52 buster sshd[1158]: Failed password for www-data from
140.109.33.37 port 52081 ssh2
Jun 19 14:30:55 buster sshd[1160]: Failed password for www-data from
140.109.33.37 port 52222 ssh2
Jun 19 14:30:58 buster sshd[1162]: Failed password for www-data from
140.109.33.37 port 52362 ssh2
Jun 19 14:31:02 buster sshd[1164]: Failed password for games from
140.109.33.37 port 52480 ssh2
Jun 19 14:31:05 buster sshd[1166]: Failed password for games from
140.109.33.37 port 52626 ssh2
Jun 19 14:31:08 buster sshd[1168]: Failed password for games from
140.109.33.37 port 52761 ssh2
Jun 19 14:31:45 buster sshd[1218]: Failed password for operator from
140.109.33.37 port 54322 ssh2
Jun 19 14:31:48 buster sshd[1220]: Failed password for operator from
140.109.33.37 port 54476 ssh2
Jun 19 14:31:52 buster sshd[1222]: Failed password for operator from
140.109.33.37 port 54608 ssh2
Jun 19 14:32:45 buster sshd[1296]: Failed password for irc from
140.109.33.37 port 56857 ssh2
Jun 19 14:32:48 buster sshd[1298]: Failed password for irc from
140.109.33.37 port 57033 ssh2
Jun 19 14:32:53 buster sshd[1300]: Failed password for irc from
140.109.33.37 port 57159 ssh2
Jun 19 14:36:02 buster sshd[1594]: Failed password for lp from
140.109.33.37 port 37138 ssh2
Jun 19 14:36:05 buster sshd[1596]: Failed password for lp from
140.109.33.37 port 37269 ssh2
Jun 19 14:36:08 buster sshd[1598]: Failed password for lp from
140.109.33.37 port 37392 ssh2
Jun 19 14:36:16 buster sshd[1606]: Failed password for bin from
140.109.33.37 port 37699 ssh2
Jun 19 14:36:19 buster sshd[1608]: Failed password for bin from
140.109.33.37 port 37849 ssh2
Jun 19 14:36:23 buster sshd[1610]: Failed password for bin from
140.109.33.37 port 38005 ssh2
Jun 19 14:36:26 buster sshd[1612]: Failed password for postfix from
140.109.33.37 port 38177 ssh2
Jun 19 14:36:30 buster sshd[1614]: Failed password for postfix from
140.109.33.37 port 38314 ssh2
Jun 19 14:36:33 buster sshd[1616]: Failed password for postfix from
140.109.33.37 port 38459 ssh2
Jun 19 14:40:47 buster sshd[2007]: Failed password for uucp from
140.109.33.37 port 49391 ssh2
Jun 19 14:40:51 buster sshd[2009]: Failed password for uucp from
140.109.33.37 port 49522 ssh2
Jun 19 14:40:54 buster sshd[2011]: Failed password for uucp from
140.109.33.37 port 49670 ssh2
Jun 19 14:43:32 buster sshd[2239]: Failed password for greg from
140.109.33.37 port 56496 ssh2
Jun 19 14:43:35 buster sshd[2241]: Failed password for greg from
140.109.33.37 port 56642 ssh2
Jun 19 14:43:39 buster sshd[2243]: Failed password for greg from
140.109.33.37 port 56786 ssh2
Jun 19 14:49:12 buster sshd[2746]: Failed password for sys from
140.109.33.37 port 42917 ssh2
Jun 19 14:49:15 buster sshd[2748]: Failed password for sys from
140.109.33.37 port 43076 ssh2
Jun 19 14:49:18 buster sshd[2750]: Failed password for sys from
140.109.33.37 port 43209 ssh2


On Sun, 2005-06-19 at 13:58 -0400, Justin Pryzby wrote:
> On Fri, Jun 17, 2005 at 01:13:14PM -0400, pryzbyj wrote:
> > On Fri, Jun 17, 2005 at 09:59:45AM -0700, Greg Webster wrote:
> > > On Fri, 2005-06-17 at 12:51 -0400, Justin Pryzby wrote:
> > > > On Fri, Jun 17, 2005 at 09:14:04AM -0700, Greg Webster wrote:
> > > > > Package: ssh
> > > > > Version: 1:3.8.1p1-8.sarge.4
> > > > > Severity: critical
> > > > > File: /usr/sbin/sshd
> > > > > Tags: security
> > > > > Justification: root security hole
> 
> > > > > This attack is already in the wild, as shown in logs:
> > > > This doesn't seem to indicate any particular attack.  I don't know if
> > > > there's any evidence that its doing anything other than sshing to
> > > > $user:$user@yourmachine.  (Though there is no evidence to support my
> > > > claim, either.  It would be interesting to force the use of password
> > > > authentication, rather than challenge-response, to see what password
> > > > is being used.  Takers?). 
> > > 
> > > Definitely would be a good test...I'd like to see someone validate what
> > > I've been seeing.
> > I see lots of the same logfile entries; but I have doubts that it is
> > looking for a valid account, and not just looking for an *opened*
> > account.
> The included patch records any "cleartext" passwords (which are
> normally only cleartext in the sense that they can be recorded by the
> remote machine, and are normally sent encrypted over the network).
> 
> You probably shouldn't use it on a multiuser machine.  But, if you do,
> then you should ensure that the created file is root:root 0700.  (And
> tell all your users what you're up to).
> 
> Some mods to /etc/ssh/sshd_config are necessary to force clients to
> use password authentication.
> 
> (NOTE: that this is deliberately discouraged by the authors of SSH.
> Normally, a challenge-response authentication is used, and the
> effective "password" [call it what you like] is never transmitted.
> "Password" authentication is usually the last resort.  I always
> recommend using RSA authentication; it can even be left enabled while
> doing this test.)
> 
> Anyway,
> 
> ChallengeResponseAuthentication no
> kbdinteractiveauthentication no
> 
> (The latter one isn't highlighed by vim, and doesn't seem to have any
> effect.  The first one was necessary, though.  I suspect that keyboard
> interactive, in practice, uses a challenge/response authentication.)
> 
> When that's changed, you must /etc/init.d/ssh reload.  Then test the
> configuration with ssh -v fakeuser@localhost, which should end with:
> 
>   debug1: Next authentication method: password
>   fakeuser@localhost's password: 
> 
> demonstrating that password authentication is the only one used.
> (Well, not really, since I still have public-key enabled; but, it is
> the first interactive one.).
> 
> I'll leave this up for a little while and see what happens.  Please
> let me know of your own results, should you decide to do similar
> investigations.
> 
> Justin
-- 
Greg Webster  -  System Administrator
-------------------------------------
intouch.ca gastips.com epredictor.net
Reply to: