Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Scanning for Fortinet ssh backdoor - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Scanning for Fortinet ssh backdoor

On 11 Jan, a Python script was posted on the full-disclosure mailing list that took advantage of a hardcoded ssh password in some older versions of various products from Fortinet (see complete list in Ref [1] below).  Looking at our collected ssh data, we've seen an increase in scanning for those devices in the days since the revelation of the vulnerability.  Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18).  So if you haven't already applied patches and put ACLs/firewall rules in front of these devices limiting access to ssh from only specific management IPs, you have probably already been scanned and possibly pwned.

References:

[1] http://www.fortiguard.com/advisory/multiple-products-ssh-undocumented-login-vulnerability

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Jim

399 Posts
ISC Handler
Do you mind telling me what usrnam & pw you guys put in your honeypot?
Krypt0ni8

21 Posts Posts
I'm not sure what you are asking, these reports come from kippo and cowrie installations around the internet. For this graph I just pulled out attempts to ssh in with a username of Fortimanager_Access which is the account with the hardcoded password on the vulnerable devices.
Jim

399 Posts Posts
ISC Handler
Sorry, my bad. I thought you pulled that out from your own Kippo. Maybe I should start uploading mine.
Krypt0ni8

21 Posts Posts
No problem. We encourage more folks to upload their ssh logs. Johannes tells me this is actually easiest to do in cowrie rather than kippo. You just need to put the userid and API key in the config it is already builtin. I haven't moved my own kippo sensors over to cowrie yet, but plan to work on that this weekend now that I have a cowrie deploy script for MHN. Perhaps I'll report on how that worked on my next handler shift.
Jim

399 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!