sshd hacked in only 50,000 tries
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: openssh-server
Granted, I should have been paying attention.
But.
I hadn't changed the root password from initial install - I just use sudo.
Each character of a password is one of over 60 possibilities.
..so a 3-character password entails over 200,000 possibilities.
..which gives them a 23% chance of having cracked my system in the number of tries they did - if it was a 3-character password. 4 character password makes it a .3% chance. 5 character password makes it a .00006% chance. You get the picture.
so, some information:
I'm running Kubuntu LTS, with "OpenSSH_4.2p1 Debian-7ubuntu3, OpenSSL 0.9.8a"
and, some questions:
..why was my system hacked in only ~50,000 tries? ..my own idiocy aside -- Is there a bug in openssh-server, or some other vulnerability I don't know about? ..if so, is there a patch coming out soon?
..I thought there was no password/no potential for login other than 'sudo bash' or 'sudo su' for the root account in (k)Ubuntu. Is this not the case?
..why does openssh-server in (k)Ubuntu allow root logins by default, particularly with the whole "rootless" idea going on?
..and, of course.. What potentially useful information can I provide to help this get fixed?
Compromise occurred on aug. 14th.
Please don't just blow me off on this - I think there's an actual issue here. If you do, please give solid reason why you think it's probable that someone hacked my system in that time.
--
status needsinfo
Hi,
Brian Visel [2006-08-29 6:51 -0000]:
> I hadn't changed the root password from initial install - I just use
> sudo.
The default install disables the root account completely. It is just
active if you did an expert installation or manually set it after
installation.
> Each character of a password is one of over 60 possibilities.
>
> ..so a 3-character password entails over 200,000 possibilities.
> ..which gives them a 23% chance of having cracked my system in the
> number of tries they did - if it was a 3-character password. 4
> character password makes it a .3% chance. 5 character password
> makes it a .00006% chance. You get the picture.
These figures do not reflect reality. Even though passwords aren't
(or, rather, shouldn't be) real language words, they still usually
contain parts of words. Due to character probabilities depending on
each other and passwords being based on dictionary words (see john)
you usually have a heavily inhomogenuous distribution. It is usually
not a problem at all to crack a passwords of 6 or fewer characters.
> ..why was my system hacked in only ~50,000 tries? ..my own idiocy
> aside -- Is there a bug in openssh-server, or some other
> vulnerability I don't know about? ..if so, is there a patch coming
> out soon?
There is probably no bug. First, we need to track down your situation:
* Did you do an expert install or set the root password explicitly
after installation?
* How long is the password? Can you post it here? (Since I guess that
you changed it after the attack anyway)