sshd not checking passwords!

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

sshd not checking passwords!

The Mac OS X Server Mailing List mailing list
I have an OSX 10.9.5 system on which I enabled remote logins (ssh). That works, but a user ssh’ing in can type in any password (or even a return) at the Password: prompt and still gets logged in! What's even worse is that any other account (even a privileged username) can be specified on the ssh command line and the login still happens!

There's not much in the log.

Here's what's generated when I enable remote logins in Sys Prefs:

8:32:36 PM com.apple.preferences.sharing.remoteservice: remote view marshal proxy failed to forward event to remote due to Error Domain
8:32:36 PM com.apple.preferences.sharing.remoteservice: assertion failed: 13F34: liblaunch.dylib + 25164
8:32:36 PM com.apple.preferences.sharing.remoteservice: assertion failed: 13F34: liblaunch.dylib + 25164
8:32:36 PM com.apple.preferences.sharing.remoteservice: Bogus event received by listener connection:<error: 0x7fff7750db50>
8:32:36 PM com.apple.preferences.sharing.remoteservice: nsc_smb XPC: handler_event error : < Connection invalid >

Here's what's generated when I successfully ssh into the machine, hitting return at the Password: prompt:

8:33:55 PM sshd: carlh [priv]: USER_PROCESS: 8211 ttys002
8:33:55 PM sshd: carlh [priv]: DEAD_PROCESS: 8211 ttys002

What could be causing this? I’ve tried resetting the password, but no change.
-Carl



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sshd not checking passwords!

The Mac OS X Server Mailing List mailing list
        Unfortunately, I don’t know what is wrong in your case, but I would at least be worried about a malware infestation (after all, we don’t often check the negative case on things like this). I would first make sure that `sshd` is running out of `/usr/sbin/sshd`, and then start comparing `/ect/sshd_config` with a known-good copy. Unfortunately this is on of the files that get auto-generated when you turn on ssh, so you can’t pull the original one out of a package to make absolute certain.

        But I did want to point out that this sounds surprisingly like a “Sad Server” quote:

> You are like the Oprah of bad security practices, password-less sudo for everybody!

https://twitter.com/sadserver/status/435826626664726528


Karl Kuehn
[hidden email]



> On Feb 26, 2015, at 7:52 PM, OS X Server Mail List <[hidden email]> wrote:
>
> I have an OSX 10.9.5 system on which I enabled remote logins (ssh). That works, but a user ssh’ing in can type in any password (or even a return) at the Password: prompt and still gets logged in! What's even worse is that any other account (even a privileged username) can be specified on the ssh command line and the login still happens!
>
> There's not much in the log.
>
> Here's what's generated when I enable remote logins in Sys Prefs:
>
> 8:32:36 PM com.apple.preferences.sharing.remoteservice: remote view marshal proxy failed to forward event to remote due to Error Domain
> 8:32:36 PM com.apple.preferences.sharing.remoteservice: assertion failed: 13F34: liblaunch.dylib + 25164
> 8:32:36 PM com.apple.preferences.sharing.remoteservice: assertion failed: 13F34: liblaunch.dylib + 25164
> 8:32:36 PM com.apple.preferences.sharing.remoteservice: Bogus event received by listener connection:<error: 0x7fff7750db50>
> 8:32:36 PM com.apple.preferences.sharing.remoteservice: nsc_smb XPC: handler_event error : < Connection invalid >
>
> Here's what's generated when I successfully ssh into the machine, hitting return at the Password: prompt:
>
> 8:33:55 PM sshd: carlh [priv]: USER_PROCESS: 8211 ttys002
> 8:33:55 PM sshd: carlh [priv]: DEAD_PROCESS: 8211 ttys002
>
> What could be causing this? I’ve tried resetting the password, but no change.
> -Carl
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list      ([hidden email])
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/macos-x-server/kuehn.karl%40gmail.com
>
> This email sent to [hidden email]



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sshd not checking passwords!

The Mac OS X Server Mailing List mailing list
Thanks, Karl.

Yes, sshd is being run from /usr/sbin (according to ps). The ssh_config
file is the default (unmodified) one that got installed with Mavericks (it
was a clean install on a new drive). I tried explicitly enabling:
PasswordAuthentication yes
ChallengeResponseAuthentication yes
...but these made no difference.

I'm running a Sophos security scan on the drive now, but it will take many
hours before that completes.

Logins at the iMac console window perform properly, it's just sshd. Even
with -v on the ssh command line, it tells nothing more than
'Authentication succeeded (keyboard-interactive)' when hitting return at
the Password: prompt.

Note sure if upgrading to 10.10 would affect anything.
-Carl


> Unfortunately, I don’t know what is wrong in your case, but I would at
> least be worried about a malware infestation (after all, we don’t often
> check the negative case on things like this). I would first make sure
> that `sshd` is running out of `/usr/sbin/sshd`, and then start comparing
> `/ect/sshd_config` with a known-good copy. Unfortunately this is on of
> the files that get auto-generated when you turn on ssh, so you can’t
> pull the original one out of a package to make absolute certain.
>
> But I did want to point out that this sounds surprisingly like a “Sad
> Server” quote:
>
>> You are like the Oprah of bad security practices, password-less sudo for
>> everybody!
>
> https://twitter.com/sadserver/status/435826626664726528
>
> —
> Karl Kuehn
> [hidden email]
>
>
>
>> On Feb 26, 2015, at 7:52 PM, OS X Server Mail List
>> <[hidden email]> wrote:
>>
>> I have an OSX 10.9.5 system on which I enabled remote logins (ssh). That
>> works, but a user ssh’ing in can type in any password (or even a
>> return) at the Password: prompt and still gets logged in! What's even
>> worse is that any other account (even a privileged username) can be
>> specified on the ssh command line and the login still happens!
>>
>> There's not much in the log.
>>
>> Here's what's generated when I enable remote logins in Sys Prefs:
>>
>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: remote view
>> marshal proxy failed to forward event to remote due to Error Domain
>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: assertion
>> failed: 13F34: liblaunch.dylib + 25164
>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: assertion
>> failed: 13F34: liblaunch.dylib + 25164
>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: Bogus event
>> received by listener connection:<error: 0x7fff7750db50>
>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: nsc_smb XPC:
>> handler_event error : < Connection invalid >
>>
>> Here's what's generated when I successfully ssh into the machine,
>> hitting return at the Password: prompt:
>>
>> 8:33:55 PM sshd: carlh [priv]: USER_PROCESS: 8211 ttys002
>> 8:33:55 PM sshd: carlh [priv]: DEAD_PROCESS: 8211 ttys002
>>
>> What could be causing this? I’ve tried resetting the password, but no
>> change.
>> -Carl
>>
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Macos-x-server mailing list      ([hidden email])
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/macos-x-server/kuehn.karl%40gmail.com
>>
>> This email sent to [hidden email]
>
>
>
>  _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list      ([hidden email])
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/macos-x-server/newslists%40autonomy.caltech.edu
>
> This email sent to [hidden email]


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sshd not checking passwords!

The Mac OS X Server Mailing List mailing list
What about sshd_config?
________________________________________
From: macos-x-server-bounces+trice=[hidden email] <macos-x-server-bounces+trice=[hidden email]> on behalf of OS X Server Mail List <[hidden email]>
Sent: Friday, February 27, 2015 2:43 PM
To: OS X Server Mail List
Subject: Re: sshd not checking passwords!

Thanks, Karl.

Yes, sshd is being run from /usr/sbin (according to ps). The ssh_config
file is the default (unmodified) one that got installed with Mavericks (it
was a clean install on a new drive). I tried explicitly enabling:
PasswordAuthentication yes
ChallengeResponseAuthentication yes
...but these made no difference.

I'm running a Sophos security scan on the drive now, but it will take many
hours before that completes.

Logins at the iMac console window perform properly, it's just sshd. Even
with -v on the ssh command line, it tells nothing more than
'Authentication succeeded (keyboard-interactive)' when hitting return at
the Password: prompt.

Note sure if upgrading to 10.10 would affect anything.
-Carl


>       Unfortunately, I donâ?(tm)t know what is wrong in your case, but I would at
> least be worried about a malware infestation (after all, we donâ?(tm)t often
> check the negative case on things like this). I would first make sure
> that `sshd` is running out of `/usr/sbin/sshd`, and then start comparing
> `/ect/sshd_config` with a known-good copy. Unfortunately this is on of
> the files that get auto-generated when you turn on ssh, so you canâ?(tm)t
> pull the original one out of a package to make absolute certain.
>
>       But I did want to point out that this sounds surprisingly like a â?oSad
> Server� quote:
>
>> You are like the Oprah of bad security practices, password-less sudo for
>> everybody!
>
> https://twitter.com/sadserver/status/435826626664726528
>
> â?"
> Karl Kuehn
> [hidden email]
>
>
>
>> On Feb 26, 2015, at 7:52 PM, OS X Server Mail List
>> <[hidden email]> wrote:
>>
>> I have an OSX 10.9.5 system on which I enabled remote logins (ssh). That
>> works, but a user sshâ?(tm)ing in can type in any password (or even a
>> return) at the Password: prompt and still gets logged in! What's even
>> worse is that any other account (even a privileged username) can be
>> specified on the ssh command line and the login still happens!
>>
>> There's not much in the log.
>>
>> Here's what's generated when I enable remote logins in Sys Prefs:
>>
>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: remote view
>> marshal proxy failed to forward event to remote due to Error Domain
>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: assertion
>> failed: 13F34: liblaunch.dylib + 25164
>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: assertion
>> failed: 13F34: liblaunch.dylib + 25164
>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: Bogus event
>> received by listener connection:<error: 0x7fff7750db50>
>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: nsc_smb XPC:
>> handler_event error : < Connection invalid >
>>
>> Here's what's generated when I successfully ssh into the machine,
>> hitting return at the Password: prompt:
>>
>> 8:33:55 PM sshd: carlh [priv]: USER_PROCESS: 8211 ttys002
>> 8:33:55 PM sshd: carlh [priv]: DEAD_PROCESS: 8211 ttys002
>>
>> What could be causing this? Iâ?(tm)ve tried resetting the password, but no
>> change.
>> -Carl
>>
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Macos-x-server mailing list      ([hidden email])
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/macos-x-server/kuehn.karl%40gmail.com
>>
>> This email sent to [hidden email]
>
>
>
>  _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list      ([hidden email])
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/macos-x-server/newslists%40autonomy.caltech.edu
>
> This email sent to [hidden email]

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/trice%40greatneck.k12.ny.us

This email sent to [hidden email]

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sshd not checking passwords!

The Mac OS X Server Mailing List mailing list
In reply to this post by The Mac OS X Server Mailing List mailing list
Dear Carl,

Have you tried "ssh -vvv" ?

From the ssh man page:  "Multiple -v options increase the verbosity.  The maximum is 3."

Mark Abajian, [hidden email]
(818) 726-0372  mobile

> Date: Fri, 27 Feb 2015 11:43:13 -0800
> From: OS X Server Mail List <[hidden email]>
> To: OS X Server Mail List <[hidden email]>
> Subject: Re: sshd not checking passwords!
> Message-ID:
> <[hidden email]>
>
> Thanks, Karl.
>
> Yes, sshd is being run from /usr/sbin (according to ps). The ssh_config
> file is the default (unmodified) one that got installed with Mavericks (it
> was a clean install on a new drive). I tried explicitly enabling:
> PasswordAuthentication yes
> ChallengeResponseAuthentication yes
> ...but these made no difference.
>
> I'm running a Sophos security scan on the drive now, but it will take many
> hours before that completes.
>
> Logins at the iMac console window perform properly, it's just sshd. Even
> with -v on the ssh command line, it tells nothing more than
> 'Authentication succeeded (keyboard-interactive)' when hitting return at
> the Password: prompt.
>
> Note sure if upgrading to 10.10 would affect anything.
> -Carl
>
>
>> Unfortunately, I don’t know what is wrong in your case, but I would at
>> least be worried about a malware infestation (after all, we don’t often
>> check the negative case on things like this). I would first make sure
>> that `sshd` is running out of `/usr/sbin/sshd`, and then start comparing
>> `/ect/sshd_config` with a known-good copy. Unfortunately this is on of
>> the files that get auto-generated when you turn on ssh, so you can’t
>> pull the original one out of a package to make absolute certain.
>>
>> But I did want to point out that this sounds surprisingly like a “Sad
>> Server” quote:
>>
>>> You are like the Oprah of bad security practices, password-less sudo for
>>> everybody!
>>
>> https://twitter.com/sadserver/status/435826626664726528
>>
>> —
>> Karl Kuehn
>> [hidden email]
>>
>>
>>
>>> On Feb 26, 2015, at 7:52 PM, OS X Server Mail List
>>> <[hidden email]> wrote:
>>>
>>> I have an OSX 10.9.5 system on which I enabled remote logins (ssh). That
>>> works, but a user ssh’ing in can type in any password (or even a
>>> return) at the Password: prompt and still gets logged in! What's even
>>> worse is that any other account (even a privileged username) can be
>>> specified on the ssh command line and the login still happens!
>>>
>>> There's not much in the log.
>>>
>>> Here's what's generated when I enable remote logins in Sys Prefs:
>>>
>>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: remote view
>>> marshal proxy failed to forward event to remote due to Error Domain
>>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: assertion
>>> failed: 13F34: liblaunch.dylib + 25164
>>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: assertion
>>> failed: 13F34: liblaunch.dylib + 25164
>>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: Bogus event
>>> received by listener connection:<error: 0x7fff7750db50>
>>> 8:32:36 PM com.apple.preferences.sharing.remoteservice: nsc_smb XPC:
>>> handler_event error : < Connection invalid >
>>>
>>> Here's what's generated when I successfully ssh into the machine,
>>> hitting return at the Password: prompt:
>>>
>>> 8:33:55 PM sshd: carlh [priv]: USER_PROCESS: 8211 ttys002
>>> 8:33:55 PM sshd: carlh [priv]: DEAD_PROCESS: 8211 ttys002
>>>
>>> What could be causing this? I’ve tried resetting the password, but no
>>> change.
>>> -Carl


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sshd not checking passwords!

The Mac OS X Server Mailing List mailing list
On Feb 27, 2015, at 2:13 PM, OS X Server Mail List <[hidden email]> wrote:

> Have you tried "ssh -vvv" ?

Great idea! Here’s the (very) verbose output! (IP address has been sanitized for obvious reasons!)
-Carl



OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 121.175.218.31 [121.175.218.31] port 22.
debug1: Connection established.
debug1: identity file /Users/carlh/.ssh/id_rsa type -1
debug1: identity file /Users/carlh/.ssh/id_rsa-cert type -1
debug1: identity file /Users/carlh/.ssh/id_dsa type -1
debug1: identity file /Users/carlh/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2
debug1: match: OpenSSH_6.2 pat OpenSSH*
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "121.175.218.31" from file "/Users/carlh/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/carlh/.ssh/known_hosts:13
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: [hidden email],[hidden email],ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: [hidden email],[hidden email],ssh-rsa,[hidden email],[hidden email],ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[hidden email],[hidden email],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[hidden email],[hidden email],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
debug2: kex_parse_kexinit: [hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-md5,hmac-sha1,[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-md5,hmac-sha1,[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[hidden email],zlib
debug2: kex_parse_kexinit: none,[hidden email],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[hidden email],[hidden email],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[hidden email],[hidden email],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,[hidden email]
debug2: kex_parse_kexinit: [hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-md5,hmac-sha1,[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: [hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],[hidden email],hmac-md5,hmac-sha1,[hidden email],[hidden email],hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,[hidden email],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[hidden email]
debug2: kex_parse_kexinit: none,[hidden email]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found [hidden email]
debug1: kex: server->client aes128-ctr [hidden email] none
debug2: mac_setup: found [hidden email]
debug1: kex: client->server aes128-ctr [hidden email] none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 134/256
debug2: bits set: 517/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 42:07:6b:87:c6:fe:84:7b:04:ce:d2:0f:57:bb:0e:f0
debug3: load_hostkeys: loading entries for host "121.175.218.31" from file "/Users/carlh/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /Users/carlh/.ssh/known_hosts:13
debug3: load_hostkeys: loaded 1 keys
debug1: Host '121.175.218.31' is known and matches the RSA host key.
debug1: Found key in /Users/carlh/.ssh/known_hosts:13
debug2: bits set: 519/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /Users/carlh/.ssh/id_rsa (0x0),
debug2: key: /Users/carlh/.ssh/id_dsa (0x0),
debug1: Authentications that can continue: publickey,keyboard-interactive
debug3: start over, passed a different list publickey,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/carlh/.ssh/id_rsa
debug3: no such identity: /Users/carlh/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /Users/carlh/.ssh/id_dsa
debug3: no such identity: /Users/carlh/.ssh/id_dsa: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
<... hit return here …>

debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug3: packet_send2: adding 48 (len 6 padlen 10 extra_pad 64)
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to 121.175.218.31 ([121.175.218.31]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Requesting [hidden email]
debug1: Entering interactive session.
debug2: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: packet_set_tos: set IP_TOS 0x10
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug1: Sending environment.
debug3: Ignored env TERM_PROGRAM
debug3: Ignored env SHELL
debug3: Ignored env TERM
debug3: Ignored env TMPDIR
debug3: Ignored env Apple_PubSub_Socket_Render
debug3: Ignored env TERM_PROGRAM_VERSION
debug3: Ignored env TERM_SESSION_ID
debug3: Ignored env USER
debug3: Ignored env SSH_AUTH_SOCK
debug3: Ignored env __CF_USER_TEXT_ENCODING
debug3: Ignored env PATH
debug3: Ignored env __CHECKFIX1436934
debug3: Ignored env DSS
debug3: Ignored env PWD
debug1: Sending env LANG = en_US.UTF-8
debug2: channel 0: request env confirm 0
debug3: Ignored env SHLVL
debug3: Ignored env HOME
debug3: Ignored env GNUTERM
debug3: Ignored env LOGNAME
debug3: Ignored env SECURITYSESSIONID
debug3: Ignored env _
debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Fri Feb 27 12:40:41 2015 from 150.135.218.38
$

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sshd not checking passwords!

The Mac OS X Server Mailing List mailing list
Whew, I got to the bottom of this, finally. It turns out the system was compromised. Not from the outside, but from a package I installed on it. It contained some malware (DDoS-BH, PerlBot-A, and JavaSnd-B). sshd itself wasn’t touched.

The odd files I found on the system:

-rwxr-xr-x   1 root  wheel  678814 Dec  1 09:27 /bin/bin_z    (DDoS-BH)
-rw-r--r--   1 root  wheel   39333 Nov 22 12:39 /var/.lug.txt (PerlBot-A)
-rw-r--r--   1 root  wheel  139900 Dec  1 11:17 /etc/rc.local
-r--r--r--   1 root  wheel    8061 Dec  1 11:17 /etc/profile
-rw-r--r--   1 root  wheel       0 Dec  1 11:17 /etc/dmesg

The .lug.txt file gives a permissions error when trying to read it. There’s some sort of deny-file-read on it, but no ACLs. I have no idea what it is or contains, so I could only delete it. JavaSnd-B was embedded in numerous .tar files and in Time Machine backups.

The fake ‘profile' had this for contents:

# System-wide .profile for sh(1)

if [ -x /usr/libexec/path_helper ]; then
        eval `/usr/libexec/path_helper -s`
fi

if [ "${BASH-no}" != "no" ]; then
        [ -r /etc/bashrc ] && . /etc/bashrc
fi
unset MAILCHECK
unset MAILCHECK
unset MAILCHECK
unset MAILCHECK
unset MAILCHECK
unset MAILCHECK
. . .

The fake ‘rc.local' has this for contents:

cd /tmp;./sfewfesfs
cd /tmp;./gfhjrtfyhuf
cd /tmp;./rewgtf3er4t
cd /tmp;./fdsfsfvff
cd /tmp;./smarvtd
cd /tmp;./whitptabil
cd /tmp;./gdmorpen
cd /etc;./sfewfesfs
cd /etc;./gfhjrtfyhuf
cd /etc;./rewgtf3er4t
cd /etc;./fdsfsfvff
cd /etc;./smarvtd
cd /etc;./whitptabil
cd /etc;./gdmorpen
. . .

All is working again. Just goes to show you gotta vet your 3rd-party packages!
Thanks to all,
-Carl



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sshd not checking passwords!

The Mac OS X Server Mailing List mailing list

> On 28 lut 2015, at 04:27, OS X Server Mail List <[hidden email]> wrote:
>
> Whew, I got to the bottom of this, finally. It turns out the system was compromised. Not from the outside, but from a package I installed on it. It contained some malware (DDoS-BH, PerlBot-A, and JavaSnd-B). sshd itself wasn’t touched.
Just out of curiosity - what tool did you use to find the malware?

Radosław Długosz
+48 693 581 574

Apple Certified Help Desk Specialist
Apple Certified Technical Coordinator
Apple Certified System Administrator

Cider House IT Sp. z o.o.
ul. Wojciecha Gersona 10/15
30-818 Kraków

NIP 6793094216
REGON 122914197
KRS 0000472716
Sąd Rejonowy dla Krakowa-Śródmieścia w Krakowie, XI Wydział Gospodarczy
Kapitał zakładowy: 5000zł



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sshd not checking passwords!

The Mac OS X Server Mailing List mailing list
More importantly, what package did you install????

> On 2 Mar 2015, at 11:43, OS X Server Mail List <[hidden email]> wrote:
>
>
>> On 28 lut 2015, at 04:27, OS X Server Mail List <[hidden email]> wrote:
>>
>> Whew, I got to the bottom of this, finally. It turns out the system was compromised. Not from the outside, but from a package I installed on it. It contained some malware (DDoS-BH, PerlBot-A, and JavaSnd-B). sshd itself wasn’t touched.
> Just out of curiosity - what tool did you use to find the malware?
>
> Radosław Długosz



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sshd not checking passwords!

The Mac OS X Server Mailing List mailing list
First, I found some anomalous files on my own just by snooping around in /etc and comparing what was there to a known uninfected 10.9.5 system. The rc.local, profile, and dmesg files obviously weren’t supposed to be there. With that in mind, I fired up Sophos. The scan took over 24 hours, but that’s because it was also scanning the TM backups on the external drive. So it found and identified the various virus-infected files.

I’m not certain which 3rd-party package it was that infected the system. Sophos identified a number of LaTEX files that were infected so I am certain it was a LaTEX package (and I installed about every one that I found online, to see what each offered.) Apparently, one offered more than it advertised!

I guess I should have suspected break-in/infection earlier on. I’m still not sure how the infection was able to make sshd perform the way it did.
-Carl


On Mar 2, 2015, at 4:54 AM, OS X Server Mail List <[hidden email]> wrote:

> More importantly, what package did you install????
>
>> On 2 Mar 2015, at 11:43, OS X Server Mail List <[hidden email]> wrote:
>>
>>
>>> On 28 lut 2015, at 04:27, OS X Server Mail List <[hidden email]> wrote:
>>>
>>> Whew, I got to the bottom of this, finally. It turns out the system was compromised. Not from the outside, but from a package I installed on it. It contained some malware (DDoS-BH, PerlBot-A, and JavaSnd-B). sshd itself wasn’t touched.
>> Just out of curiosity - what tool did you use to find the malware?
>>
>> Radosław Długosz
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list      ([hidden email])
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/macos-x-server/newslists%40autonomy.caltech.edu
>
> This email sent to [hidden email]



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sshd not checking passwords!

The Mac OS X Server Mailing List mailing list
Malware can include a rootkit, which when installed, gives
root/privileged access to the system. Root is allowed to modify just
about anything, including the SSH daemon config. So, the malware
probably rooted the system and installed/ran a script that made the
changes and installed the suspect files.

Ian

On Mon, Mar 2, 2015 at 8:17 AM, OS X Server Mail List
<[hidden email]> wrote:

> First, I found some anomalous files on my own just by snooping around in /etc and comparing what was there to a known uninfected 10.9.5 system. The rc.local, profile, and dmesg files obviously weren’t supposed to be there. With that in mind, I fired up Sophos. The scan took over 24 hours, but that’s because it was also scanning the TM backups on the external drive. So it found and identified the various virus-infected files.
>
> I’m not certain which 3rd-party package it was that infected the system. Sophos identified a number of LaTEX files that were infected so I am certain it was a LaTEX package (and I installed about every one that I found online, to see what each offered.) Apparently, one offered more than it advertised!
>
> I guess I should have suspected break-in/infection earlier on. I’m still not sure how the infection was able to make sshd perform the way it did.
> -Carl
>
>
> On Mar 2, 2015, at 4:54 AM, OS X Server Mail List <[hidden email]> wrote:
>
>> More importantly, what package did you install????
>>
>>> On 2 Mar 2015, at 11:43, OS X Server Mail List <[hidden email]> wrote:
>>>
>>>
>>>> On 28 lut 2015, at 04:27, OS X Server Mail List <[hidden email]> wrote:
>>>>
>>>> Whew, I got to the bottom of this, finally. It turns out the system was compromised. Not from the outside, but from a package I installed on it. It contained some malware (DDoS-BH, PerlBot-A, and JavaSnd-B). sshd itself wasn’t touched.
>>> Just out of curiosity - what tool did you use to find the malware?
>>>
>>> Radosław Długosz
>>
>>
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Macos-x-server mailing list      ([hidden email])
>> Help/Unsubscribe/Update your Subscription:
>> https://lists.apple.com/mailman/options/macos-x-server/newslists%40autonomy.caltech.edu
>>
>> This email sent to [hidden email]
>
>
>
>  _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macos-x-server mailing list      ([hidden email])
> Help/Unsubscribe/Update your Subscription:
> https://lists.apple.com/mailman/options/macos-x-server/ikaufman%40eng.ucsd.edu
>
> This email sent to [hidden email]



--
Ian Kaufman
Research Systems Administrator
UC San Diego, Jacobs School of Engineering ikaufman AT ucsd DOT edu


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      ([hidden email])
Help/Unsubscribe/Update your Subscription:
https://lists.apple.com/mailman/options/macos-x-server/lists%2Bs10970n2h62%40n7.nabble.com

This email sent to [hidden email]