[lug] Hacked SSH Daemon
George Sexton
gsexton at mhsoftware.com
Fri Sep 7 11:25:03 MDT 2007
I think a machine that I admin has been hacked.
The first problem that I noticed was SSH wasn't running.
Attempts to start sshd, generated an error invalid option "-o PidFile=/xxx"
I verified from the man file that this should work.
Next, I noticed that I got an RSA key message saying that the server's
RSA key wasn't know, but the DSA key was known. The next thing I noticed
was that Public Key authentication no longer worked. I also verified
that I can remotely login as Root, even though I have set
PermitRootLogin no in the /etc/ssh/sshd_config
Finally, when I did a "rpm -Vf /usr/sbin/sshd", it popped as modified.
Has anyone seen this before?
Do I need to worry about the machine that I logged in and did my testing
from? It's an up to date SuSE 10.2 system. Amazingly, on that system, I
had a unique password.
Once I figured out the system looked hacked, I switched to a Knoppix system.
Any ideas on whether I may have compromised the machine I did my initial
investigation will be REALLY appreciated.
--
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL: http://www.mhsoftware.com/
More information about the LUG
mailing list