Successful SSH Attack - Need help cleaning up

Charles Curley charlescurley at charlescurley.com
Fri Oct 27 14:56:58 MDT 2006


On Fri, Oct 27, 2006 at 02:49:07PM -0600, Daniel wrote:
> If I backup the /etc/ssh/ folder and reinstall then copy the /etc/ssh/
> folder back will this be fine?

No.

1) You don't know what's in the existing /etc/ssh directory.

2) You don't know what is elsewhere in the system, say, oh,
   /root/.ssh.

3) Paranoids live longer.

> 
> On 10/27/06, Jason Holt <jason at lunkwill.org> wrote:
> >
> >
> >On Fri, 27 Oct 2006, Jonathan Ellis wrote:
> >
> >> On Fri, 27 Oct 2006 13:54:07 -0600, "Daniel" <teletautala at gmail.com>
> >> said:
> >>> There was a successful ssh attack on one of our boxes.  We need to
> >allow
> >>> ssh
> >>> access to those outside the organization.  The attacker put a homegrown
> >>> rootkit on the server.  The rootkit was stopped, but since then ssh has
> >>> been
> >>> logging to /var/log/messages.  The relavent configuration files I know
> >>> about
> >>> (/etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/syslog) are the same a
> >>> server that I works.  /var/log/secure is not getting any
> >messages.  What
> >>> can
> >>> I do to restore ssh to its previous state without reinstalling it?
> >>
> >> You should reinstall; if you had a rootkit installed, you have no idea
> >> what else is compromised.
> >
> >Indeed.  And if you don't believe us, ask Ken Thompson:
> >
> >http://www.acm.org/classics/sep95/
> >
> >(He came to a security talk I gave the other day.  w00t!)
> >
> >
> >
> >/*
> >PLUG: http://plug.org, #utah on irc.freenode.net
> >Unsubscribe: http://plug.org/mailman/options/plug
> >Don't fear the penguin.
> >*/
> >
> 
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */

-- 

Charles Curley                  /"\    ASCII Ribbon Campaign
Looking for fine software       \ /    Respect for open standards
and/or writing?                  X     No HTML/RTF in email
http://www.charlescurley.com    / \    No M$ Word docs in email

Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20061027/460377c0/attachment.bin 


More information about the PLUG mailing list