Compromised SSHD, SIGABRT, and openssh.info

Posted on Tuesday 22 January 2013

It's been a mean minute since I had something worth ranting about but I think I've found something. There is absolutely no reference to this on Google as far as I've seen. My sshd on my home file server was phoning home to openssh.info (which, as of this posting, resolves to 82.221.99.69), whose whois info is unlisted, and whose DNS is hosted by FreeDNS (afraid.org). It was failing at something, which was causing the sshd to SIGABRT. I apt-get install --reinstall'd my packages before I could strings them to see what actual URL they were retrieving (no promises there anyway). I do know it's doing a gethostbyname() first, and resolving the openssh.info host. At first i was like WHY IS MY SSHD DOING A connect() to port 53 of a Comcast name serv... er nevermind, but wait what is this connect() to port 80?! This appeared to happen every 600 seconds and ended in a SIGABRT.
[403353.692802] init: ssh main process (32121) killed by ABRT signal
[403353.692862] init: ssh main process ended, respawning
[403954.552812] init: ssh main process (32135) killed by ABRT signal
[403954.552870] init: ssh main process ended, respawning
[404555.240749] init: ssh main process (32146) killed by ABRT signal
[404555.240809] init: ssh main process ended, respawning
[405156.152631] init: ssh main process (32158) killed by ABRT signal
[405156.152683] init: ssh main process ended, respawning
[405757.026526] init: ssh main process (32298) killed by ABRT signal
[405757.026562] init: ssh main process ended, respawning
Here's some stuff from strace...
connect(5, {sa_family=AF_INET, sin_port=htons(80), sin_addr=inet_addr("82.221.99.69")}, 16) = -1 EINPROGRESS (Operation now in progress)
select(6, [3 4], [5], NULL, {600, 0})   = 1 (out [5], left {599, 847860})
fcntl(5, F_GETFL)                       = 0x802 (flags O_RDWR|O_NONBLOCK)
fcntl(5, F_SETFL, O_RDWR)               = 0
uname({sys="Linux", node="oxygen", ...}) = 0
open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = -1 ENXIO (No such device or address)
writev(2, [{"*** glibc detected *** ", 23}, {"/usr/sbin/sshd", 14}, {": ", 2}, {"munmap_chunk(): invalid pointer", 31}, {": 0x", 4}, {"0000000000456aa8", 16}, {" ***\n", 5}], 7) = 95
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f988b456000
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 6
fstat(6, {st_mode=S_IFREG|0644, st_size=52961, ...}) = 0
mmap(NULL, 52961, PROT_READ, MAP_PRIVATE, 6, 0) = 0x7f988b438000
close(6)                                = 0
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
open("/lib/x86_64-linux-gnu/libgcc_s.so.1", O_RDONLY|O_CLOEXEC) = 6
read(6, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320(\0\0\0\0\0\0"..., 832) = 832
fstat(6, {st_mode=S_IFREG|0644, st_size=88384, ...}) = 0
mmap(NULL, 2184216, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 6, 0) = 0x7f9888fd2000
mprotect(0x7f9888fe7000, 2093056, PROT_NONE) = 0
mmap(0x7f98891e6000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 6, 0x14000) = 0x7f98891e6000
close(6)                                = 0
mprotect(0x7f98891e6000, 4096, PROT_READ) = 0
munmap(0x7f988b438000, 52961)           = 0
write(2, "======= Backtrace: =========\n", 29) = 29
writev(2, [{"/lib/x86_64-linux-gnu/libc.so.6", 31}, {"(", 1}, {"+0x", 3}, {"7eb96", 5}, {")", 1}, {"[0x", 3}, {"7f988a2cdb96", 12}, {"]\n", 2}], 8) = 58
writev(2, [{"/usr/sbin/sshd", 14}, {"[0x", 3}, {"40ad16", 6}, {"]\n", 2}], 4) = 25
writev(2, [{"/usr/sbin/sshd", 14}, {"[0x", 3}, {"408f55", 6}, {"]\n", 2}], 4) = 25
writev(2, [{"/lib/x86_64-linux-gnu/libc.so.6", 31}, {"(", 1}, {"__libc_start_main", 17}, {"+0x", 3}, {"ed", 2}, {")", 1}, {"[0x", 3}, {"7f988a27076d", 12}, {"]\n", 2}], 9) = 72
writev(2, [{"/usr/sbin/sshd", 14}, {"[0x", 3}, {"409b99", 6}, {"]\n", 2}], 4) = 25
write(2, "======= Memory map: ========\n", 29) = 29
open("/proc/self/maps", O_RDONLY)       = 6
read(6, "00400000-00478000 r-xp 00000000 "..., 1024) = 1024
write(2, "00400000-00478000 r-xp 00000000 "..., 1024) = 1024
read(6, "x-gnu/libnss_nis-2.15.so\n7f98893"..., 1024) = 1024
write(2, "x-gnu/libnss_nis-2.15.so\n7f98893"..., 1024) = 1024
read(6, "8842                     /lib/x8"..., 1024) = 1024
write(2, "8842                     /lib/x8"..., 1024) = 1024
read(6, "5.so\n7f9889c3a000-7f9889c3b000 r"..., 1024) = 1024
write(2, "5.so\n7f9889c3a000-7f9889c3b000 r"..., 1024) = 1024
read(6, " r-xp 00000000 08:11 118830     "..., 1024) = 1024
write(2, " r-xp 00000000 08:11 118830     "..., 1024) = 1024
read(6, "17000 ---p 00009000 08:11 118840"..., 1024) = 1024
write(2, "17000 ---p 00009000 08:11 118840"..., 1024) = 1024
read(6, ".15.so\n7f988ac5f000-7f988ac60000"..., 1024) = 1024
write(2, ".15.so\n7f988ac5f000-7f988ac60000"..., 1024) = 1024
read(6, "       /lib/x86_64-linux-gnu/lib"..., 1024) = 819
write(2, "       /lib/x86_64-linux-gnu/lib"..., 819) = 819
read(6, "", 1024)                       = 0
close(6)                                = 0
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
Anyway, if anyone else has seen this thing in the wild, or knows the nature of this, please contact me. I have a feeling, due to the otherwise undocumented and unlisted nature of this exploit, I might get a little bit of blowback from this post. I have not yet found out how they got into the system in the first place, but I've updated everything and limited access from my firewall. It's not a box I check very often, but that will certainly change now. Stay vigilant.
Michael @ 04:38 PM
[ ]

Filed under: mg2
Napoleon Prometheus

Posted on Friday 06 April 2012

to do away with things "i am"
i think back to when it all began

long before my OCD
and i obsessed o'er symmetry

an oblong shape, and born alone
no friends to call, no place my home

how could i say to the world at large
i am a boss, i am in charge?

an utterance might escape my mouth
"a republican from deep down south"

"a fireman, a loving friend"
"a kind and gentle man, husband"

i am those things?  i'm surely not
i'm an organism that's all i've got

i could barely say "i have hair"
i didn't though, i didn't care



the time will come to let it go
when it does, it helps to know

there was a time once in the past
you embraced a role, which held steadfast

in becoming it you became you
restless, eager, sudden, new

a page not written but splattered with ink
lips for kissing, and tears for cheeks

your inside out heart's embrace
full citizen of the human race

what a lovely birth gave you your role
you use it now just t' feign control

control you never really had
it's desperation, breathing ragged



shhhh my love it's a new year
there's no place far or near for fear

embrace me now as i hold close
the dearest reason of the most

important choice we'd ever made
in choosing freedom or t'be a slave

there's something powerful in 'i am'
something simple, something grand

if you are pursuing truth
be extra careful in your youth

not to base your image on
things you can't rely upon

namely anything you can think of
that isn't truth, respect, or love



base yourself on something more
want more than you bargained for

then you will end up on the floor
life's new bitch, you dirty whore

but if you hold your chin up steady
understand you're never ready

face the morning at the dawn
weed your garden, mow the lawn

you will get what's not come yet
earn your wager, don't have to bet

like the oceans and the seas
your well of karmic honesty

will not run dry, and never freeze
the slave that was?  has been set free


--_-
Michael @ 04:03 PM
[ ]

Filed under: Creative
Adium / Pidgin Chat Log Command Line cat utility!

Posted on Friday 16 September 2011

hello, check out chatcat a command line utility I just wrote for catting XML-based adium chat log files to a UNIX terminal. It comes in handy if you want to grep for certain things and be able to read them. Converts the XML data to ascii! enjoy <3
Michael @ 01:23 PM
[ ]

Filed under: Code Snippits
This Track

Posted on Monday 28 March 2011

I put this track on and it reminded me of a time long ago when we were happy together.   When we were close and we were naive about how much we loved one another.  At least I was naive about that kind of thing.  I can't remember what track it was, but it was just maybe a chord that reminded me.  Or a smell.  Or something just for a flash cos then a Rancid track came on shuffle play and I was glad you weren't in my life anymore.  Bye.
Michael @ 10:19 PM
[ ]

Filed under: Love
Robot St. James - Futurama

Posted on Saturday 19 February 2011

I love that he rocks out on only a mouse wheel.
Michael @ 03:25 PM
[ ]

Filed under: Bad Code Snippits