[scg-sec] FW: SSH fun :)

Paul Goyette pgoyette at juniper.net
Fri Mar 4 17:19:16 EST 2005 

Most of you all probably know everything that Rob is saying,
but it never hurts to repeat it.  We'll be trying to find a
way to re-emphasize to customers that "just because you're 
using SSH doesn't mean you're secure" and try to convince
them to be much more selective about the sources from which
they accept connections.

-----Original Message-----
From: Rob Thomas [mailto:robt at cymru.com]
Sent: Friday, March 04, 2005 2:10 PM
To: Paul Goyette
Subject: SSH fun :)


Hey, Paul.

Wendy and I chatted about your recent SSH fun, so I thought I'd punt
you a bit of what I know and see on this topic.

The initial bruteforce SSH scan and sploit code is based on Windows
open shares bruteforce login and password code.  This code attempts
to connect to Windows shares (TCP 135, TCP 445) and guess logins,
e.g. admin/admin, administrator/administrator, etc.  It even tries
several foreign languages.

A crew of Romanians adapted this code for SSH.  They knew that
entirely too many people leave TCP 22 open to the world.  They
also know that people pick lousy passwords.  The code is a very
good scanner, running multiple concurrent scans (threaded, of
course).  This code is now out in wider distribution in the
underground, and quite popular because it works REALLY well.

The miscreants expected to find "mad fast" Unix boxes with this
code.  They did.  FreeBSD, Linux, Solaris, AIX, you name it.
They also found Juniper routers (my favorite miscreant quote:
"Now I don't have to lie about having hacked an OC48 router!")
and Mac OS X boxes.  We found one all-Mac OS X botnet (several
hundred Macs) built solely through SSH bruteforce.

The miscreants are now adjusting their target netblocks based
on what they see responding.  In much the same way that the
miscreants long ago identified the prefixes that contain ISP
to customer edge routers, the miscreants are now identifying
prefixes that include large concentrations of Unix boxes, Mac
boxes, and Juniper routers.  This target identification effort
has only recently begun; you can rest assured that it will be
accurate and maintained.  :(

My advice, and this is what I conveyed to your folks when I
spoke there, is to get folks to filter TCP 22 access TODAY.
You can rave about good passwords all you want, but we both
know that this doesn't do much good.  It's amazing to me, and
a common joke among the miscreants, the number of folks who
use "cisco" as their Juniper login and password.  :/

The miscreants know that Macs and Juniper boxes, just as any
other Unix platform, make fine hosts for IRC bounces, IRC
servers, malware redistribution sites (SCP, FTP, HTTP), and
DoS and bot platforms.  This trend began with the widespread
desire of the underground to locate more Unix platforms for
their criminal revenue streams.  You can expect this trend
to continue, and likely increase.

The code itself is nothing fancy.  It simply connects to
TCP 22 and tries a large list of login/password combinations.

Feel free to share this note with the Skitter Core Group.
If there is anything you need, please don't hesitate to
ask.

Thanks,
Rob.
-- 
Rob Thomas
http://www.cymru.com
Shaving with Occam's razor since 1999.

More information about the scg-sec mailing list