Successful SSH Attack - Need help cleaning up
Jonathan Ellis
jonathan at carnageblender.com
Fri Oct 27 13:57:35 MDT 2006
On Fri, 27 Oct 2006 13:54:07 -0600, "Daniel" <teletautala at gmail.com>
said:
> There was a successful ssh attack on one of our boxes. We need to allow
> ssh
> access to those outside the organization. The attacker put a homegrown
> rootkit on the server. The rootkit was stopped, but since then ssh has
> been
> logging to /var/log/messages. The relavent configuration files I know
> about
> (/etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/syslog) are the same a
> server that I works. /var/log/secure is not getting any messages. What
> can
> I do to restore ssh to its previous state without reinstalling it?
You should reinstall; if you had a rootkit installed, you have no idea
what else is compromised.
--
C++ is history repeated as tragedy. Java is history repeated as farce. --Scott McKay
More information about the PLUG
mailing list