Ubuntu
openssh package

sshd hacked in only 50,000 tries

Bug #58074 reported by Brian Ealdwine
256
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: openssh-server

Granted, I should have been paying attention.

But.

I hadn't changed the root password from initial install - I just use sudo.

Each character of a password is one of over 60 possibilities.

..so a 3-character password entails over 200,000 possibilities.
..which gives them a 23% chance of having cracked my system in the number of tries they did - if it was a 3-character password. 4 character password makes it a .3% chance. 5 character password makes it a .00006% chance. You get the picture.

so, some information:
I'm running Kubuntu LTS, with "OpenSSH_4.2p1 Debian-7ubuntu3, OpenSSL 0.9.8a"

and, some questions:
..why was my system hacked in only ~50,000 tries? ..my own idiocy aside -- Is there a bug in openssh-server, or some other vulnerability I don't know about? ..if so, is there a patch coming out soon?
..I thought there was no password/no potential for login other than 'sudo bash' or 'sudo su' for the root account in (k)Ubuntu. Is this not the case?
..why does openssh-server in (k)Ubuntu allow root logins by default, particularly with the whole "rootless" idea going on?
..and, of course.. What potentially useful information can I provide to help this get fixed?

Compromise occurred on aug. 14th.

Please don't just blow me off on this - I think there's an actual issue here. If you do, please give solid reason why you think it's probable that someone hacked my system in that time.

--

See original description
Brian Ealdwine (eode)
description: updated
Revision history for this message
Martin Pitt (pitti) wrote : Re: [Bug 58074] sshd hacked in only 50,000 tries

 status needsinfo

Hi,

Brian Visel [2006-08-29 6:51 -0000]:
> I hadn't changed the root password from initial install - I just use
> sudo.

The default install disables the root account completely. It is just
active if you did an expert installation or manually set it after
installation.

> Each character of a password is one of over 60 possibilities.
>
> ..so a 3-character password entails over 200,000 possibilities.
> ..which gives them a 23% chance of having cracked my system in the
> number of tries they did - if it was a 3-character password. 4
> character password makes it a .3% chance. 5 character password
> makes it a .00006% chance. You get the picture.

These figures do not reflect reality. Even though passwords aren't
(or, rather, shouldn't be) real language words, they still usually
contain parts of words. Due to character probabilities depending on
each other and passwords being based on dictionary words (see john)
you usually have a heavily inhomogenuous distribution. It is usually
not a problem at all to crack a passwords of 6 or fewer characters.

> ..why was my system hacked in only ~50,000 tries? ..my own idiocy
> aside -- Is there a bug in openssh-server, or some other
> vulnerability I don't know about? ..if so, is there a patch coming
> out soon?

There is probably no bug. First, we need to track down your situation:

 * Did you do an expert install or set the root password explicitly
   after installation?

 * How long is the password? Can you post it here? (Since I guess that
   you changed it after the attack anyway)

Changed in openssh:
status: Unconfirmed → Needs Info
Revision history for this message
RobertBrunhuber (ubuntu-rbrunhuber) wrote :

We are closing this bug report as it lacks the information, described in the previous comments, we need to investigate the problem further. However, please reopen it if you can give us the missing information and don't hesitate to submit bug reports in the future.

Changed in openssh:
status: Needs Info → Rejected
Revision history for this message
Hubert Farnsworth (spam-band24) wrote :

Actually I had the same problem some days ago. Only that my root account was hacked with only 400 attempts.

I used the alternate installation Cd of Ubuntu 8.10, but I was not asked for a root password. Here's a piece of my log:

> Dec 6 00:11:52 cfm sshd[7961]: Failed password for root from
> ...
> Dec 6 00:35:23 cfm sshd[9034]: Accepted password for root from

I _did not_ set a root password after installation.

This seems like a reason for me to set PermitRootLogin to no in the distributed binary package!

Revision history for this message
Hubert Farnsworth (spam-band24) wrote :

P.S.: I cut the lines of the log because I did not want to publish the IP-address here. The lines continue with the IP, port and "ssh2"

Revision history for this message
Brian Ealdwine (eode) wrote : Re: [Bug 58074] Re: sshd hacked in only 50,000 tries

:-/ I didn't get badk to this, and this bug is closed now. ..but for
informational purposes...

Regarding password probabilities reflecting reality, I was assuming that the
root password that came with the system was randomly generated, and wouldn't
be subject to dictionary or probabilistic attacks.

I may have done an expert install, I'm not sure (too long ago). I know I
did not set a root password, though.

I don't know how long the password is, I didn't set it and was not prompted
for it.

Given that my problem was before the fix for the debian SSL key generation
issue, it could be presumed that someone realized the existence of the bug
before it was reported and fixed, and was exploiting that.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.