hacking attempt

F 10 lip at lip.net.ua
Sat May 7 05:59:08 EST 2011

today I find in my logs

May  6 01:36:14 xxx sshd[27880]: Address x.x.x.x maps to xxx.com, but this
does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
May  6 01:36:15 xxx sshd[27880]: *Accepted publickey* for root from x.x.x.x
port 55707 ssh2
May  6 01:36:15 xxx sshd[27880]: pam_unix(sshd:session): session opened for
user root by (uid=0)
May  6 01:36:15 xxx sshd[27880]: subsystem request for sftp

In the sshd_config was always PermitRootLogin no

/root/.ssh always was empty

md5sum /usr/sbin/sshd
f8c11462e8f2a7bf80e212e06041492b  /usr/sbin/sshd

md5sum sshd #binary from .deb
f8c11462e8f2a7bf80e212e06041492b  sshd

OS Debian GNU/Linux 6.0
SSH-2.0-OpenSSH_5.5p1 Debian-6

How it's possible?

More information about the openssh-unix-dev mailing list