[lug] Have I been hacked?

Ben bluey at iguanaworks.net
Wed Aug 29 10:31:07 MDT 2007 

I have a cron job that runs every hour on machine A. It connects to a 
remote server (machine B) via ssh using key exchange. If the connection 
fails, it waits 5 minutes and tries again. Today in my e-mail from 
machine A, I got 9 copies of

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for iguanaworks.net has changed,
and the key for the according IP address XXX.XXX.XXX.XXX
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX.
Please contact your system administrator.
Add correct host key in /home/administrator/.ssh/known_hosts to get rid of this message.
Offending key in /home/administrator/.ssh/known_hosts:1
RSA host key for iguanaworks.net has changed and you have requested strict checking.
Host key verification failed.
Fatal error: Lost connection with the server

send every 5 minutes. On machine B, the logs show successful connects from Machine A until 2:20am this morning. At 3:20, the connection failed (only message: Connect closed by Machine A IP address) and that message repeats every 5 minutes until all of a sudden at 4:00 it started working again. So for 50 minutes, the keys didn't authenticate and then all of a sudden they did again.

Now, I checked on Machine B and it current has and previous had, the same RSA key as listed is the connection warning message: 

The fingerprint for the RSA key sent by the remote host is
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX.

it is as if the key on machine A (/home/administrator/.ssh/known_hosts) changed for about an hour and then changed back. Is this an indication of someone hacking either box? If not, what would cause this. I haven't seen anything suspicious in the logs.


Thanks,

Ben

More information about the LUG mailing list