hacking attempt
Kevin Boers
dgtlshdw at gmail.com
Sat May 7 07:48:58 EST 2011
That's the exact scenario I've seen before: someone got in with
another exploit and replaced my sshd with a hacked one. I'd search to
see if there's more than one sshd, and if any of the settings have
been replaced. I've since put monitoring around the files to make sure
they don't change.
K
2011/5/6 Ángel González <keisial at gmail.com>:
> F 10 wrote:
>> Hello,
>> today I find in my logs
>>
>> May 6 01:36:14 xxx sshd[27880]: Address x.x.x.x maps to xxx.com, but this
>> does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
>> May 6 01:36:15 xxx sshd[27880]: *Accepted publickey* for root from x.x.x.x
>> port 55707 ssh2
>> May 6 01:36:15 xxx sshd[27880]: pam_unix(sshd:session): session opened for
>> user root by (uid=0)
>> May 6 01:36:15 xxx sshd[27880]: subsystem request for sftp
>>
>> In the sshd_config was always PermitRootLogin no
>>
>> /root/.ssh always was empty
>>
>> md5sum /usr/sbin/sshd
>> f8c11462e8f2a7bf80e212e06041492b /usr/sbin/sshd
>>
>> md5sum sshd #binary from .deb
>> f8c11462e8f2a7bf80e212e06041492b sshd
>>
>> OS Debian GNU/Linux 6.0
>> SSH-2.0-OpenSSH_5.5p1 Debian-6
>>
>> How it's possible?
> Perhaps 27880 wasn't the normal sshd instance, but run with different
> config/a trojaned one?
> (that bears the question on how they could launch such hypothetical
> 'evil sshd' before, though)
>
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list