Successful SSH Attack - Need help cleaning up

Daniel teletautala at gmail.com
Fri Oct 27 14:49:07 MDT 2006


If I backup the /etc/ssh/ folder and reinstall then copy the /etc/ssh/
folder back will this be fine?

On 10/27/06, Jason Holt <jason at lunkwill.org> wrote:
>
>
> On Fri, 27 Oct 2006, Jonathan Ellis wrote:
>
> > On Fri, 27 Oct 2006 13:54:07 -0600, "Daniel" <teletautala at gmail.com>
> > said:
> >> There was a successful ssh attack on one of our boxes.  We need to
> allow
> >> ssh
> >> access to those outside the organization.  The attacker put a homegrown
> >> rootkit on the server.  The rootkit was stopped, but since then ssh has
> >> been
> >> logging to /var/log/messages.  The relavent configuration files I know
> >> about
> >> (/etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/syslog) are the same a
> >> server that I works.  /var/log/secure is not getting any
> messages.  What
> >> can
> >> I do to restore ssh to its previous state without reinstalling it?
> >
> > You should reinstall; if you had a rootkit installed, you have no idea
> > what else is compromised.
>
> Indeed.  And if you don't believe us, ask Ken Thompson:
>
> http://www.acm.org/classics/sep95/
>
> (He came to a security talk I gave the other day.  w00t!)
>
>
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>



More information about the PLUG mailing list