hacking attempt

Scott Neugroschl scott_n at xypro.com
Sat May 7 07:55:53 EST 2011


Do you normally run your sshd on 55707?

> -----Original Message-----
> From: openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org
> [mailto:openssh-unix-dev-bounces+scott_n=xypro.com at mindrot.org] On
> Behalf Of Ángel González
> Sent: Friday, May 06, 2011 2:09 PM
> To: F 10; openssh-unix-dev at mindrot.org
> Subject: Re: hacking attempt
> 
> F 10 wrote:
> > Hello,
> > today I find in my logs
> >
> > May  6 01:36:14 xxx sshd[27880]: Address x.x.x.x maps to xxx.com, but
> this
> > does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
> > May  6 01:36:15 xxx sshd[27880]: *Accepted publickey* for root from
> x.x.x.x
> > port 55707 ssh2
> > May  6 01:36:15 xxx sshd[27880]: pam_unix(sshd:session): session
> opened for
> > user root by (uid=0)
> > May  6 01:36:15 xxx sshd[27880]: subsystem request for sftp
> >
> > In the sshd_config was always PermitRootLogin no
> >
> > /root/.ssh always was empty
> >
> > md5sum /usr/sbin/sshd
> > f8c11462e8f2a7bf80e212e06041492b  /usr/sbin/sshd
> >
> > md5sum sshd #binary from .deb
> > f8c11462e8f2a7bf80e212e06041492b  sshd
> >
> > OS Debian GNU/Linux 6.0
> > SSH-2.0-OpenSSH_5.5p1 Debian-6
> >
> > How it's possible?
> Perhaps 27880 wasn't the normal sshd instance, but run with different
> config/a trojaned one?
> (that bears the question on how they could launch such hypothetical
> 'evil sshd' before, though)
> 
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list