[linux] FWD: Likewise-open exploit on Ubuntu 10.04 with likewise-open5 package, Troj/BBDoS-B

[Matt Weatherford]

UW Ubuntu Likewise-open users:

There appears to be a bug or configuration error with the Likewise-open5
package included with Ubuntu 10.04.... we found this when UWTech security
scanning reported suspicious activity on a 10.04 Ubuntu box sitting on an
unprotected public UW network.... somehow a remote attacker was somehow
able to log in as the <Machine-name>\Administrator account
(which did not have elevated priv's, but was scary anyway)

After I installed it, Linux Sophos AV scanning reported the following:


>  A virus classified as 'Troj/BBDoS-B' was detected in the file

>  '/tmp/udp.pl' when attempting to open it at Tue Jul 20 05:00:44 2010 PDT

>  -1500 (2010-07-20 12:00:44 UTC).  Access to the infected file was not

>  allowed.


this is orthogonal to the original problem of being able to log in 
remotely with the local administrator account, but Im mentioning it in 
case others are seeing a similar symptom.


According to likewise, this problem exists in 5.4, and 6.0 - but not 
with 5.3
I have not verified these statements.


The fix seems to be to disallow the <Machinename>\Administrator account 
like this:


     lw-mod-user --disable-user <machine-name>\Administrator

I have not tested this yet.  Likewise is aware of the problem and 
working to get
a fix sorted out and hopefully pushed upstream to the Ubuntu repos ASAP

Other distros may also be affected, YYMV, etc

-Matt




-------- Original Message --------
Subject: 	RE: likewise exploit on Ubuntu 10.04 with likewise-open5 package
Date: 	Tue, 20 Jul 2010 19:03:51 -0400
From: 	Michael Lampi <mlampi at likewise.com>
To: 	Matt Weatherford <mbw at u.washington.edu>



Meanwhile, you can disable the account using "lw-mod-user --disable-user
<machine-name>\Administrator".

-----Original Message-----
From: Michael Lampi
Sent: Tuesday, July 20, 2010 3:59 PM
To: 'Matt Weatherford'
Subject: RE: likewise exploit on Ubuntu 10.04 with likewise-open5
package

Hi Matt,

We have a local repro of the problem, and are trying to see why the
<machine-name>\Administrator account is not disabled like the
<machine-name>\Guest account.

It *is* disabled in Likewise 5.3, as it should be.

Michael Lampi

-----Original Message-----
From: Matt Weatherford [mailto:mbw at u.washington.edu]
Sent: Tuesday, July 20, 2010 3:14 PM
To: Michael Lampi
Subject: likewise exploit on Ubuntu 10.04 with likewise-open5 package

Michael,

We had a system here on the public net get compromised - or at least
someone remote logged in as the MACHINENAME\Administrator
account... this is a little scary...

We installed the machine with the name "SUN-U20" then I changed
/etc/hostname
later to call it "jaxi.csde.washington.edu"


But I have seen logins from Romania and other foreign states as the
local account:   (see SUN-U20)

root at jaxi:~# last
root     pts/4        lucky.csde.washi Tue Jul 20 15:07   still logged
in
testu1   pts/3        :0.0             Tue Jul 20 14:59   still logged
in
SUN-U20\ pts/2        93.122.210.35    Tue Jul 20 11:49 - 11:58  (00:08)
root     pts/2        c-98-232-93-86.h Tue Jul 20 08:12 - 10:26  (02:13)
SUN-U20\ pts/2        93.122.219.199   Tue Jul 20 04:57 - 05:41  (00:43)
SUN-U20\ pts/2        93.122.219.199   Tue Jul 20 03:37 - 03:38  (00:00)
testu1   pts/1        lucky.csde.washi Mon Jul 19 16:07   still logged
in
testu1   pts/0        :0.0             Mon Jul 19 15:08   still logged
in
testu1   tty7         :0               Mon Jul 19 14:46   still logged
in
reboot   system boot  2.6.32-23-generi Mon Jul 19 14:46 - 15:07
(1+00:20)
testu1   pts/2        :0.0             Mon Jul 19 14:04 - down   (00:41)
SUN-U20\ pts/2        109.166.128.235  Mon Jul 19 12:29 - 13:08  (00:39)
SUN-U20\ pts/2        109.166.128.235  Mon Jul 19 12:18 - 12:25  (00:06)
SUN-U20\ pts/2        109.166.142.215  Mon Jul 19 05:09 - 05:28  (00:19)
SUN-U20\ pts/3        109.166.142.215  Mon Jul 19 02:55 - 04:45  (01:50)
SUN-U20\ pts/2        109.166.142.215  Mon Jul 19 02:54 - 02:56  (00:01)
SUN-U20\ pts/2        host8-4.brs.com. Mon Jul 19 00:18 - 01:00  (00:41)
SUN-U20\ pts/2        59.25.185.119    Sun Jul 18 05:12 - 05:12  (00:00)


Various auth.log stuff:

Jul 19 10:58:07 jaxi sshd[31927]: Did not receive identification string
from 213.180.94.20
Jul 19 11:17:01 jaxi CRON[31964]: pam_unix(cron:session): session opened

for user root by (uid=0)
Jul 19 11:17:01 jaxi CRON[31964]: pam_unix(cron:session): session closed

for user root
Jul 19 12:17:01 jaxi CRON[32153]: pam_unix(cron:session): session opened

for user root by (uid=0)
Jul 19 12:17:01 jaxi CRON[32153]: pam_unix(cron:session): session closed

for user root
Jul 19 12:18:52 jaxi sshd[32160]: Accepted keyboard-interactive/pam for
administrator from 109.166.128.235 port 54869 ssh2
Jul 19 12:18:52 jaxi sshd[32160]: pam_unix(sshd:session): session opened

for user administrator by (uid=0)
Jul 19 12:25:40 jaxi sshd[32160]: fatal: login_init_entry: Cannot find
user "SUN-U20\\Administrator"
Jul 19 12:25:40 jaxi sshd[32160]: pam_unix(sshd:session): session closed

for user administrator
Jul 19 12:29:10 jaxi sshd[32202]: Accepted keyboard-interactive/pam for
administrator from 109.166.128.235 port 51170 ssh2
Jul 19 12:29:10 jaxi sshd[32202]: pam_unix(sshd:session): session opened

for user administrator by (uid=0)
Jul 19 13:08:46 jaxi sshd[32202]: pam_unix(sshd:session): session closed

for user administrator
Jul 19 13:08:46 jaxi sshd[32202]: pam_env(sshd:setcred): No such user!?
Jul 19 13:17:01 jaxi CRON[32311]: pam_unix(cron:session): session opened

for user root by (uid=0)
Jul 19 13:17:01 jaxi CRON[32311]: pam_unix(cron:session): session closed

for user root
Jul 19 13:45:36 jaxi sshd[32365]: Did not receive identification string
from 115.168.66.166
Jul 19 13:47:20 jaxi sshd[32370]: Did not receive identification string
from 113.57.253.198
Jul 19 14:17:01 jaxi CRON[32552]: pam_unix(cron:session): session opened

for user root by (uid=0)
Jul 19 14:17:01 jaxi CRON[32552]: pam_unix(cron:session): session closed

for user root
Jul 19 14:41:19 jaxi sshd[32612]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=115.168.66.166
user=root



it looks like someone logged in as administrator,  although I have never

set any password for that user and there is nothing in the /etc/hosts
file or in the AD domain.... its the built in local account
SUN-U20\Administrator....


anyway, this is frightening and weird

here is the version detail:

root at jaxi:~# lw-get-status
LSA Server Status:

Compiled daemon version: 5.0.0.0
Packaged product version: 5.4.0.42111
Uptime:        1 days 0 hours 26 minutes 35 seconds

[Authentication provider: lsa-activedirectory-provider]

      Status:        Online
      Mode:          Non-default Cell
      Domain:        CSDE.WASHINGTON.EDU
      Forest:        csde.washington.edu
      Site:          CSDE
      Online check interval:  300 seconds
      Sub mode:      Schema
      Cell:
CN=$LikewiseIdentityCell,OU=UNIX,DC=csde,DC=washington,DC=edu

....

[Authentication provider: lsa-local-provider]

      Status:        Online
      Mode:          Local system
root at jaxi:~#

root at jaxi:~# apt-show-versions | grep likew
likewise-open/lucid uptodate 5.4.0.42111-2ubuntu1
likewise-open5/lucid uptodate 5.4.0.42111-2ubuntu1
root at jaxi:~#



Matt



-- 
Matt Weatherford
Computing Core Director
Center for Studies in Demography and Ecology
218H Raitt Hall, Box 353412
University of Washington
Seattle, WA, USA, 98195         206-616-6169
http://csde.washington.edu