OpenSSH 0day?

09.07.09 @ 12:00:22. Archivado en Vulnerabilidades, Hackers, Crackers

SSH

Rumors are flying of an underground openssh exploit. After some digging we find the tool name and its group:

“./0pen0wn” or “./0penPWN” by the hacker group called “anti-sec.” Check the commands below:

anti-sec:~/pwn/xpl# ./openPWN -h 66.96.220.213 -p 2222 -l=users.txt

[+] openPWN - anti-sec group
[+] Target: 66.96.220.213
[+] SSH Port: 2222
[+] List: users.txt

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

and:

anti-sec: ~ / pwn / xpl # ./0pen0wn-h 66.197.143.133-p 22

[+] 0wn0wn – anti-sec group [+] 0wn0wn - anti-sec group
[+] Target: 66.197.143.133 [+] Target: 66.197.143.133
[+] SSH Port: 22 [+] SSH Port: 22

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

Two attack logs exist on the net with this supposed exploit, both by this group. The first is an attack on an Astalavista Admin:

http://romeo.copyandpaste.info/txt/nowayout.txt

The second attack is the one the Internet Storm Center blogged on which can be seen in its entirety here:

http://tinyurl.com/l8tzba

and a Russian site has a play by play of the attack here:

http://tinyurl.com/m7cqdh

A Belgian Blog has this to say about it:

There have been a splash of openssh attacks and scanning – even in Belgium – and nobody seems to know what and why. There are some rumors and there is some discussion over at the Internet Storm Center but it is not all clear yet. The rumor is that a Zero day has been discovered for OLDER versions of Open SSH. This means there is no patch – but you can upgrade which will solve the issue.

I know it is a lot of work but it is work that you have to do otherwise there will be much more other work that you will have to do when you become the stupid victim of an announced attack.

Do the right think. Upgrade to the latest versions

ps what is strange about the openSSH scans is that they are scanning a whole set of ports, not only the traditional ones. Maybe to find the diverting tactics (by chosing another port not to be found while scanning). Means they are smart these guys.

Rumor tells us that Black Hat US may be the place where more information would be launched about this attack. That promises. It looks like this blackhat conference will become a hell of a show…

Update:

ISC has a thrid update saying this:

We’ve received a few emails that lend credibility to the rumor, and we’ve received a few more that paint an interesting picture – that the reports are all part of a cover-up to hide another breach that was caused by a sysadmin’s mistake. What we are lacking is the actual exploit code. So if this is “for real” would somebody slip us a copy and leave it under the door mat? (Actually, our contactform is the best place.) We won’t tell anybody where it came from but it sure would put a lid on this story.

If you look at the first attack log the ./0pen0wn script drops them into a jailshell which they have to escape to get get at the box. This might have some insight on the exploit? They use ./MichaelScofield script (pun because hes a character in the tv series prison break) to get /bin/sh and go after passwords, etc.

sh-3.1$ ./MichaelScofield

[+] MichaelScofield - Prison Breaker / anti-sec group
[+] Grabbing environment variables...

SHELL=/usr/local/cpanel/bin/jailshell

[+] Injecting new shell..

[~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~>]

SHELL=/bin/sh

+----------------------------------------------------------------------------+

copy&paste +---info----+ http://www.securityaegis.com/?p=445