Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: InfoSec Handlers Diary Blog - Scanning for Fortinet ssh backdoor InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Scanning for Fortinet ssh backdoor

Published: 2016-01-21
Last Updated: 2016-01-21 21:13:53 UTC
by Jim Clausing (Version: 1)
4 comment(s)

On 11 Jan, a Python script was posted on the full-disclosure mailing list that took advantage of a hardcoded ssh password in some older versions of various products from Fortinet (see complete list in Ref [1] below).  Looking at our collected ssh data, we've seen an increase in scanning for those devices in the days since the revelation of the vulnerability.  Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18).  So if you haven't already applied patches and put ACLs/firewall rules in front of these devices limiting access to ssh from only specific management IPs, you have probably already been scanned and possibly pwned.

References:

[1] http://www.fortiguard.com/advisory/multiple-products-ssh-undocumented-login-vulnerability

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

4 comment(s)
Diary Archives