My home machine has IP 50.54.225.130. I have (for the purposes of this experiment) one remote machine at www.peacefire.org (69.72.177.140) and another at www.junkwhale.com.
When I'm logged in to peacefire, I run this perl script to open an ssh connection to junkwhale and run a command:
my $hostname="www.junkwhale.com"; my $server_password = "[redacted!]"; use Net::SFTP; use Net::SSH::Perl; my $ssh = Net::SSH::Perl->new($hostname); $ssh->login("root", $server_password); my($stdout, $stderr, $exit) = $ssh->cmd("pwd"); print "Stdout: $stdout\n"; print "Stderr: $stderr\n";
If I then log in by ssh to junkwhale from my home computer and run grep 'Accepted password' /var/log/secure the last two lines are: Jan 2 13:23:17 e2180-20059 sshd[12635]: Accepted password for root from 69.72.177.140 port 1023 ssh2 Jan 2 13:23:28 e2180-20059 sshd[12684]: Accepted password for root from 50.54.225.130 port 52484 ssh2
which is correct -- the first line is from the perl script connecting from Peacefire (69.72.177.140) and the second line is for the connection I just opened from my home computer.
If, however, I run the "last" command, the first two lines are just: root pts/0 50-54-225-130.ev Mon Jan 2 13:23 still logged in root pts/0 50-54-225-130.ev Mon Jan 2 01:52 - 01:52 (00:00)
In other words, the "last" command doesn't list the connection opened up by the Perl script. It only lists the times that I've connected by opening a connection manually with my SSH client. Presumably that means the connection with the perl script is not being logged in /var/log/wtmp , although the contents of the file are binary so I couldn't make much sense of them directly with a screen dump.
This makes me wonder two things: 1) What is the difference, from the server's point of view, between the connection opened by the script and the one opened by my ssh client; and 2) More seriously, whatever it is that's different about the connection opened by the perl script, isn't it a bug that that connection is not recorded in wtmp? If admins frequently use the "last" command to determine who has logged into the server, couldn't an attacker do this to avoid detection?
Bennett
On 01/02/2012 03:04 PM, Bennett Haselton wrote:
My home machine has IP 50.54.225.130. I have (for the purposes of this experiment) one remote machine at www.peacefire.org (69.72.177.140) and another at www.junkwhale.com.
In general it is better not to post actual hostnames and IP addresses on public lists. Doing so can invite further attacks, particularly if your posting exposes vulnerabilities in your system.
When I'm logged in to peacefire, I run this perl script to open an ssh connection to junkwhale and run a command:
my $hostname="www.junkwhale.com"; my $server_password = "[redacted!]"; use Net::SFTP; use Net::SSH::Perl; my $ssh = Net::SSH::Perl->new($hostname); $ssh->login("root", $server_password); my($stdout, $stderr, $exit) = $ssh->cmd("pwd"); print "Stdout: $stdout\n"; print "Stderr: $stderr\n";
If I then log in by ssh to junkwhale from my home computer and run grep 'Accepted password' /var/log/secure the last two lines are: Jan 2 13:23:17 e2180-20059 sshd[12635]: Accepted password for root from 69.72.177.140 port 1023 ssh2 Jan 2 13:23:28 e2180-20059 sshd[12684]: Accepted password for root from 50.54.225.130 port 52484 ssh2
which is correct -- the first line is from the perl script connecting from Peacefire (69.72.177.140) and the second line is for the connection I just opened from my home computer.
If, however, I run the "last" command, the first two lines are just: root pts/0 50-54-225-130.ev Mon Jan 2 13:23 still logged in root pts/0 50-54-225-130.ev Mon Jan 2 01:52 - 01:52 (00:00)
In other words, the "last" command doesn't list the connection opened up by the Perl script. It only lists the times that I've connected by opening a connection manually with my SSH client. Presumably that means the connection with the perl script is not being logged in /var/log/wtmp , although the contents of the file are binary so I couldn't make much sense of them directly with a screen dump.
This makes me wonder two things:
- What is the difference, from the server's point of view, between the
connection opened by the script and the one opened by my ssh client; and 2) More seriously, whatever it is that's different about the connection opened by the perl script, isn't it a bug that that connection is not recorded in wtmp? If admins frequently use the "last" command to determine who has logged into the server, couldn't an attacker do this to avoid detection?
The connection opened by the script is not considered an interactive login on a terminal device and is therefore not reported by last. Would be nice if there was a way to have sshd log the command line that was executed for non-interactive connections, but I don't see a way to do that. The reality is that the log files really need to be monitored.
Nataraj
On Mon, Jan 02, 2012 at 03:04:07PM -0800, Bennett Haselton wrote:
This makes me wonder two things:
- What is the difference, from the server's point of view, between the
connection opened by the script and the one opened by my ssh client; and
Spot the difference between ssh remotemachine and ssh remotemachine echo hello
The first is a login (shows up in "last"), the second is not. Your perl script does the moral equivalent of the second.
-
Bennett Haselton -
Nataraj -
Stephen Harris