hacking attempt
Ángel González
keisial at gmail.com
Sat May 7 07:09:10 EST 2011
F 10 wrote:
> Hello,
> today I find in my logs
>
> May 6 01:36:14 xxx sshd[27880]: Address x.x.x.x maps to xxx.com, but this
> does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
> May 6 01:36:15 xxx sshd[27880]: *Accepted publickey* for root from x.x.x.x
> port 55707 ssh2
> May 6 01:36:15 xxx sshd[27880]: pam_unix(sshd:session): session opened for
> user root by (uid=0)
> May 6 01:36:15 xxx sshd[27880]: subsystem request for sftp
>
> In the sshd_config was always PermitRootLogin no
>
> /root/.ssh always was empty
>
> md5sum /usr/sbin/sshd
> f8c11462e8f2a7bf80e212e06041492b /usr/sbin/sshd
>
> md5sum sshd #binary from .deb
> f8c11462e8f2a7bf80e212e06041492b sshd
>
> OS Debian GNU/Linux 6.0
> SSH-2.0-OpenSSH_5.5p1 Debian-6
>
> How it's possible?
Perhaps 27880 wasn't the normal sshd instance, but run with different
config/a trojaned one?
(that bears the question on how they could launch such hypothetical
'evil sshd' before, though)
More information about the openssh-unix-dev
mailing list