[lug] Hacked SSH Daemon

steve at badcheese.com steve at badcheese.com
Fri Sep 7 12:48:37 MDT 2007 

Boot knoppix, run 'chkrootkit'.  Check MD5's of your sshd binaries to a 
known good one on a machine with the same OS (if you have access to one). 
If a rootkit has been found or sshd has been found to been replaced, the 
system is untrustworthy and should be wiped (except for any non-executable 
files).

If you want to have some fun, it's usually pretty easy to follow the 
tracks of a hacker.  You can usually find the hacker's tracks and 
back-track them and see how he got in so you can protect yourself in the 
future and on other machines.  Check log files, .history, scan for files 
modified by date, dot-files are used frequently, ...  Nowadays, linux 
machines are pretty secure, but root compromises still happen from time to 
time.

If you ssh'ed from that machine to any other machines, you need to check 
those 'target' machines to make sure that they're not also compromised.

- Steve

On Fri, 7 Sep 2007, George Sexton wrote:

> Date: Fri, 07 Sep 2007 11:25:03 -0600
> From: George Sexton <gsexton at mhsoftware.com>
> Reply-To: "Boulder (Colorado) Linux Users Group -- General Mailing List"
>     <lug at lug.boulder.co.us>
> To: "Boulder (Colorado) Linux Users Group -- General Mailing List"
>     <lug at lug.boulder.co.us>
> Subject: [lug] Hacked SSH Daemon
> 
> I think a machine that I admin has been hacked.
>
> The first problem that I noticed was SSH wasn't running.
>
> Attempts to start sshd, generated an error invalid option "-o PidFile=/xxx"
>
> I verified from the man file that this should work.
>
> Next, I noticed that I got an RSA key message saying that the server's RSA 
> key wasn't know, but the DSA key was known. The next thing I noticed was that 
> Public Key authentication no longer worked. I also verified that I can 
> remotely login as Root, even though I have set PermitRootLogin no in the 
> /etc/ssh/sshd_config
>
> Finally, when I did a "rpm -Vf /usr/sbin/sshd", it popped as modified.
>
> Has anyone seen this before?
>
> Do I need to worry about the machine that I logged in and did my testing 
> from? It's an up to date SuSE 10.2 system. Amazingly, on that system, I had a 
> unique password.
>
> Once I figured out the system looked hacked, I switched to a Knoppix system.
>
> Any ideas on whether I may have compromised the machine I did my initial 
> investigation will be REALLY appreciated.
>
>

-- 
EMAIL: (h) steve at badcheese.com  WEB: http://badcheese.com/~steve

More information about the LUG mailing list