Subject: Re: NetBSD-3.1 was attacked: Bug of SSHD or cyrus-sasl?
To: None <tech-net@netbsd.org, tech-pkg@netbsd.org, netbsd-users@netbsd.org>
From: Ignatios Souvatzis <is@netbsd.org>
List: tech-pkg
Date: 01/12/2007 12:56:16
On Fri, Jan 12, 2007 at 11:34:33AM +0000, Chavdar Ivanov wrote:
> On 1/12/07, Water NB <netbsd78@126.com> wrote:
> >In the recent days, a cracker always attack my host.
> >The cracker's IP is from Japan, Croatia and some coutries.
> If you ask me, once he is been there, the box is compromised. You have
> to search for rootkits etc. I wouldn't bother, if I were you; I would
> start from scratch.

Good advice, normally.

> >
> >Question 1) Is it a bug of sshd?
> 
> Not likely - but see below.
> 
> >Yesterday, I change the password of cyrus to 16 characters which contain
> >digit, symbol and  capital/lowercase letter, So I think it is more
> >secure.
> >But this morning I found the cracker still logined the system after only
> >two tries.
> 
> Key logger? I don't know if such a thing exists for NetBSD, but
> wouldn't be surprised.

Well, once the guy is "in" and has a priviledged account, he can change
the passwd program... and if he only wants to capture cyrus' new password,
he can change cyrus' passwd.

> >
> >Question 2) why /etc/passwd:cyrus has Shell: /bin/sh?
> >I think /sbin/nologin is enough.
> >In fact, when I change it to /sbin/nologin, the cracker stop cracking
> >because he has to logout once he login.

This should be suggested to either the pkg maintainers or to the cyrus
maintainers. Please send a pr about this so that this suggestion isn't 
lost.

For the record: due to lazyness, I didn't block port 22 when returning
from my last conference, so I have my authlog full of 

Jan 11 18:32:42 marie sshd[4035]: Invalid user takagi from 70.129.216.130
Jan 11 18:32:42 marie sshd[4035]: Failed password for invalid user takagi from 70.129.216.130 port 47462 ssh2

and similar.

*shrug* such is life - I normally use a different port for ssh to 
avoid clogging my authlog with this...

Maybe I should sweep it and notify the admins of those systems.

Regards,
	-is
-- 
seal your e-mail: http://www.gnupg.org/