Does a known security issue allow ssh login via system accounts?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi,

If this is not the right place to ask this, please redirect me. Hopefully it
is a known vulnerability, due to out of date software. We had a server
running OpenSSH_8.6p1 compiled on Ubuntu 16.04.7 which was compromised last
week. The intruder managed to achieve this:

  Feb 24 08:13:52 localhost sshd[32276]: Accepted password for backup from 5.161.47.185 port 37962 ssh2

This despite that /etc/passwd has:

  backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

And /etc/shadow has:

  backup:*:16359:0:99999:7:::

Either the /usr/bin/nologin or the "*" in the second field of /etc/shadow
should have been enough to prevent "Accepted password for backup." The
/usr/sbin/nologin is the standard version for that Ubuntu generation, byte
identical.

Adding this to sshd_config was effective:

  DenyUsers backup

If that's still not the default for system-level users like "backup", would
adding it be a reasonble feature request? Or is that on the distros to
define their default sshd_config settings?

The files in pam.d on the compromised system are standard. There's no public
key for "backup", and no ".ssh" folder in /var/backups. The intruder managed
to send out spam via the local postfix service, which is what made the
intrusion obvious. OSSEC (Wazuh) didn't spot anything. We've of course taken
the system offline. But we'd like to understand how that login by "backup"
was possible.

Thanks for any pointers. It's hard to google for this, due to "backup" being
such a generic term.  

Whit


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux