Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: Water NB <firstname.lastname@example.org>
From: Chavdar Ivanov <email@example.com>
Date: 01/12/2007 11:34:33
On 1/12/07, Water NB <firstname.lastname@example.org> wrote:
> In the recent days, a cracker always attack my host.
> The cracker's IP is from Japan, Croatia and some coutries.
> But I guess it is the same cracker and remote-conrolled those hosts.
> Because he always did the same works:
> 1) try to ssh account one by one: root, postfix, ... cyrus.
> 2) at last, login successfully via account cyrus.
> 3) install a program psyBNC 2.3.1 under /tmp and run it.
I was hit once on an old Solaris 2.6x86 box, which I meant to replace
for more than a year and didn't bother to secure it properly...
Luckily I noticed this within a few days and was able quickly to find
some new hardware and move that server functions to another system (in
this case FreeBSD 6.0).
> 4) sometimes he changes the password of cyrus.
If you ask me, once he is been there, the box is compromised. You have
to search for rootkits etc. I wouldn't bother, if I were you; I would
start from scratch.
> Question 1) Is it a bug of sshd?
Not likely - but see below.
> Yesterday, I change the password of cyrus to 16 characters which contain
> digit, symbol and capital/lowercase letter, So I think it is more
> But this morning I found the cracker still logined the system after only
> two tries.
Key logger? I don't know if such a thing exists for NetBSD, but
wouldn't be surprised.
> It is impossible to try 2 times to get the correct password.
> So I guess that he used the bug of sshd.
> What bug? I don't know.
> Question 2) why /etc/passwd:cyrus has Shell: /bin/sh?
> I think /sbin/nologin is enough.
> In fact, when I change it to /sbin/nologin, the cracker stop cracking
> because he has to logout once he login.
I don't know, I run courier.
> Question 3) How to setup a secret system?
Well, that's the 64000$ one...
> I am so worried with the fixed-IP-host in public network.
> Question 4) How to log what passwords the cracker used in ssh session?
> Or I need modify sshd source?
> Question 5) empty password means needn't password?
> Or means any passwords are invalid?
> My system:
> # uname -a
> NetBSD serv01 3.1_STABLE NetBSD 3.1_STABLE (386nb3) #3: Sat Dec 30
> 11:50:47 CST
> 2006 water@serv01:/usr/world/386o3/sys/arch/i386/compile/386nb3 i386
> # ssh -v
> OpenSSH_3.9 NetBSD_Secure_Shell-20061016, OpenSSL 0.9.7d 17 Mar 2004
> Running: apache2, postfix-2.3.5 (from pkgsrc), dovecot, mysqld, sshd,
> Installed: cyrus-sasl-2.1.22, php5.2.0
> Jan 12 00:07:04 mail sshd: Accepted password for cyrus from
> AAA.BBB.CCC.DDD port 57622 ssh2
Configure sshd with something like:
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
# similar for protocol version 2
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
# Don't read the user's ~/.rhosts and ~/.shosts files
# Change to yes to enable built-in password authentication.
# Change to no to disable PAM authentication
and setup passwordless ssh logins from the hosts you are likely to use
to login to that server; google for passwordless ssh login (i.e.