Successful SSH Attack - Need help cleaning up
charlescurley at charlescurley.com
Fri Oct 27 14:56:58 MDT 2006
On Fri, Oct 27, 2006 at 02:49:07PM -0600, Daniel wrote:
> If I backup the /etc/ssh/ folder and reinstall then copy the /etc/ssh/
> folder back will this be fine?
1) You don't know what's in the existing /etc/ssh directory.
2) You don't know what is elsewhere in the system, say, oh,
3) Paranoids live longer.
> On 10/27/06, Jason Holt <jason at lunkwill.org> wrote:
> >On Fri, 27 Oct 2006, Jonathan Ellis wrote:
> >> On Fri, 27 Oct 2006 13:54:07 -0600, "Daniel" <teletautala at gmail.com>
> >> said:
> >>> There was a successful ssh attack on one of our boxes. We need to
> >>> ssh
> >>> access to those outside the organization. The attacker put a homegrown
> >>> rootkit on the server. The rootkit was stopped, but since then ssh has
> >>> been
> >>> logging to /var/log/messages. The relavent configuration files I know
> >>> about
> >>> (/etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/syslog) are the same a
> >>> server that I works. /var/log/secure is not getting any
> >messages. What
> >>> can
> >>> I do to restore ssh to its previous state without reinstalling it?
> >> You should reinstall; if you had a rootkit installed, you have no idea
> >> what else is compromised.
> >Indeed. And if you don't believe us, ask Ken Thompson:
> >(He came to a security talk I gave the other day. w00t!)
> >PLUG: http://plug.org, #utah on irc.freenode.net
> >Unsubscribe: http://plug.org/mailman/options/plug
> >Don't fear the penguin.
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
Charles Curley /"\ ASCII Ribbon Campaign
Looking for fine software \ / Respect for open standards
and/or writing? X No HTML/RTF in email
http://www.charlescurley.com / \ No M$ Word docs in email
Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://plug.org/pipermail/plug/attachments/20061027/460377c0/attachment.bin
More information about the PLUG