Posted on Tuesday 22 January 2013
It's been a mean minute since I had something worth ranting about but I think I've found something. There is absolutely no reference to this on Google as far as I've seen.
My sshd on my home file server was phoning home to openssh.info (which, as of this posting, resolves to 82.221.99.69), whose whois info is unlisted, and whose DNS is hosted by FreeDNS (afraid.org). It was failing at something, which was causing the sshd to SIGABRT. I apt-get install --reinstall'd my packages before I could strings them to see what actual URL they were retrieving (no promises there anyway). I do know it's doing a gethostbyname() first, and resolving the openssh.info host. At first i was like WHY IS MY SSHD DOING A connect() to port 53 of a Comcast name serv... er nevermind, but wait what is this connect() to port 80?! This appeared to happen every 600 seconds and ended in a SIGABRT.
[403353.692802] init: ssh main process (32121) killed by ABRT signal [403353.692862] init: ssh main process ended, respawning [403954.552812] init: ssh main process (32135) killed by ABRT signal [403954.552870] init: ssh main process ended, respawning [404555.240749] init: ssh main process (32146) killed by ABRT signal [404555.240809] init: ssh main process ended, respawning [405156.152631] init: ssh main process (32158) killed by ABRT signal [405156.152683] init: ssh main process ended, respawning [405757.026526] init: ssh main process (32298) killed by ABRT signal [405757.026562] init: ssh main process ended, respawningHere's some stuff from strace...
connect(5, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("82.221.99.69")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(6, [3 4], [5], NULL, {600, 0}) = 1 (out [5], left {599, 847860})
fcntl(5, F_GETFL) = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl(5, F_SETFL, O_RDWR) = 0
uname({sys="Linux", node="oxygen", ...}) = 0
open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = -1 ENXIO (No such device or address)
writev(2, [{"*** glibc detected *** ", 23}, {"/usr/sbin/sshd", 14}, {": ", 2}, {"munmap_chunk(): invalid pointer", 31}, {": 0x", 4}, {"0000000000456aa8", 16}, {" ***\n", 5}], 7) = 95
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f988b456000
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0644, st_size=52961, ...}) = 0
mmap(NULL, 52961, PROT_READ, MAP_PRIVATE, 6, 0) = 0x7f988b438000
close(6) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 6
read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320(\0\0\0\0\0\0"..., 832) = 832
fstat(6, {st_mode=S_IFREG|0644, st_size=88384, ...}) = 0
mmap(NULL, 2184216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f9888fd2000
mprotect(0x7f9888fe7000, 2093056, PROT_NONE) = 0
mmap(0x7f98891e6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x14000) = 0x7f98891e6000
close(6) = 0
mprotect(0x7f98891e6000, 4096, PROT_READ) = 0
munmap(0x7f988b438000, 52961) = 0
write(2, "======= Backtrace: =========\n", 29) = 29
writev(2, [{"/lib/x86_64-linux-gnu/libc.so.6", 31}, {"(", 1}, {"+0x", 3}, {"7eb96", 5}, {")", 1}, {"[0x", 3}, {"7f988a2cdb96", 12}, {"]\n", 2}], 8) = 58
writev(2, [{"/usr/sbin/sshd", 14}, {"[0x", 3}, {"40ad16", 6}, {"]\n", 2}], 4) = 25
writev(2, [{"/usr/sbin/sshd", 14}, {"[0x", 3}, {"408f55", 6}, {"]\n", 2}], 4) = 25
writev(2, [{"/lib/x86_64-linux-gnu/libc.so.6", 31}, {"(", 1}, {"__libc_start_main", 17}, {"+0x", 3}, {"ed", 2}, {")", 1}, {"[0x", 3}, {"7f988a27076d", 12}, {"]\n", 2}], 9) = 72
writev(2, [{"/usr/sbin/sshd", 14}, {"[0x", 3}, {"409b99", 6}, {"]\n", 2}], 4) = 25
write(2, "======= Memory map: ========\n", 29) = 29
open("/proc/self/maps", O_RDONLY) = 6
read(6, "00400000-00478000 r-xp 00000000 "..., 1024) = 1024
write(2, "00400000-00478000 r-xp 00000000 "..., 1024) = 1024
read(6, "x-gnu/libnss_nis-2.15.so\n7f98893"..., 1024) = 1024
write(2, "x-gnu/libnss_nis-2.15.so\n7f98893"..., 1024) = 1024
read(6, "8842 /lib/x8"..., 1024) = 1024
write(2, "8842 /lib/x8"..., 1024) = 1024
read(6, "5.so\n7f9889c3a000-7f9889c3b000 r"..., 1024) = 1024
write(2, "5.so\n7f9889c3a000-7f9889c3b000 r"..., 1024) = 1024
read(6, " r-xp 00000000 08:11 118830 "..., 1024) = 1024
write(2, " r-xp 00000000 08:11 118830 "..., 1024) = 1024
read(6, "17000 ---p 00009000 08:11 118840"..., 1024) = 1024
write(2, "17000 ---p 00009000 08:11 118840"..., 1024) = 1024
read(6, ".15.so\n7f988ac5f000-7f988ac60000"..., 1024) = 1024
write(2, ".15.so\n7f988ac5f000-7f988ac60000"..., 1024) = 1024
read(6, " /lib/x86_64-linux-gnu/lib"..., 1024) = 819
write(2, " /lib/x86_64-linux-gnu/lib"..., 819) = 819
read(6, "", 1024) = 0
close(6) = 0
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
Anyway, if anyone else has seen this thing in the wild, or knows the nature of this, please contact me. I have a feeling, due to the otherwise undocumented and unlisted nature of this exploit, I might get a little bit of blowback from this post.
I have not yet found out how they got into the system in the first place, but I've updated everything and limited access from my firewall. It's not a box I check very often, but that will certainly change now. Stay vigilant.