[lug] Have I been hacked?

Hugh Brown hugh at math.byu.edu
Wed Aug 29 12:17:21 MDT 2007


All you really know is that machine B's RSA host key was different from
machine B's perspective (line 1 in machine A's .ssh/known_hosts).

This could have happened because another box running ssh co-opted the ip
of machine B (iguanaworks.net), someone altered DNS and pointed
iguanaworks.net to a different box, ...

So, to answer your question, maybe you were hacked or maybe there was
network trouble and the IP for machine B got temporarily re-assigned to a
box that was running ssh (by mistake or by malice is anyone's guess).

Hugh

On Wed, 29 Aug 2007, Ben wrote:

> I have a cron job that runs every hour on machine A. It connects to a
> remote server (machine B) via ssh using key exchange. If the connection
> fails, it waits 5 minutes and tries again. Today in my e-mail from
> machine A, I got 9 copies of
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @       WARNING: POSSIBLE DNS SPOOFING DETECTED!          @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> The RSA host key for iguanaworks.net has changed,
> and the key for the according IP address XXX.XXX.XXX.XXX
> is unknown. This could either mean that
> DNS SPOOFING is happening or the IP address for the host
> and its host key have changed at the same time.
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that the RSA host key has just been changed.
> The fingerprint for the RSA key sent by the remote host is
> XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX.
> Please contact your system administrator.
> Add correct host key in /home/administrator/.ssh/known_hosts to get rid of this message.
> Offending key in /home/administrator/.ssh/known_hosts:1
> RSA host key for iguanaworks.net has changed and you have requested strict checking.
> Host key verification failed.
> Fatal error: Lost connection with the server
>
> send every 5 minutes. On machine B, the logs show successful connects from Machine A until 2:20am this morning. At 3:20, the connection failed (only message: Connect closed by Machine A IP address) and that message repeats every 5 minutes until all of a sudden at 4:00 it started working again. So for 50 minutes, the keys didn't authenticate and then all of a sudden they did again.
>
> Now, I checked on Machine B and it current has and previous had, the same RSA key as listed is the connection warning message:
>
> The fingerprint for the RSA key sent by the remote host is
> XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX.
>
> it is as if the key on machine A (/home/administrator/.ssh/known_hosts) changed for about an hour and then changed back. Is this an indication of someone hacking either box? If not, what would cause this. I haven't seen anything suspicious in the logs.
>
>
> Thanks,
>
> Ben
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
>



More information about the LUG mailing list