Successful SSH Attack - Need help cleaning up

Steve smorrey at gmail.com
Fri Oct 27 15:23:12 MDT 2006


Just a note, for in the future what I have done is moved SSH to an
obscure port way off in the boonies.  Never had an SSH attack attempt
since doing so.
But yeah everyone is correct, wipe that puppy and re-install clean.

On 10/27/06, Daniel <teletautala at gmail.com> wrote:
> I have people accessing this server who don't know much about computers and
> get freaked out when some thing changes.  Will they notice something has
> changed when they use it the first time after the reinstall?
>
> On 10/27/06, Charles Curley <charlescurley at charlescurley.com> wrote:
> >
> > On Fri, Oct 27, 2006 at 02:49:07PM -0600, Daniel wrote:
> > > If I backup the /etc/ssh/ folder and reinstall then copy the /etc/ssh/
> > > folder back will this be fine?
> >
> > No.
> >
> > 1) You don't know what's in the existing /etc/ssh directory.
> >
> > 2) You don't know what is elsewhere in the system, say, oh,
> >    /root/.ssh.
> >
> > 3) Paranoids live longer.
> >
> > >
> > > On 10/27/06, Jason Holt <jason at lunkwill.org> wrote:
> > > >
> > > >
> > > >On Fri, 27 Oct 2006, Jonathan Ellis wrote:
> > > >
> > > >> On Fri, 27 Oct 2006 13:54:07 -0600, "Daniel" <teletautala at gmail.com>
> > > >> said:
> > > >>> There was a successful ssh attack on one of our boxes.  We need to
> > > >allow
> > > >>> ssh
> > > >>> access to those outside the organization.  The attacker put a
> > homegrown
> > > >>> rootkit on the server.  The rootkit was stopped, but since then ssh
> > has
> > > >>> been
> > > >>> logging to /var/log/messages.  The relavent configuration files I
> > know
> > > >>> about
> > > >>> (/etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/syslog) are the
> > same a
> > > >>> server that I works.  /var/log/secure is not getting any
> > > >messages.  What
> > > >>> can
> > > >>> I do to restore ssh to its previous state without reinstalling it?
> > > >>
> > > >> You should reinstall; if you had a rootkit installed, you have no
> > idea
> > > >> what else is compromised.
> > > >
> > > >Indeed.  And if you don't believe us, ask Ken Thompson:
> > > >
> > > >http://www.acm.org/classics/sep95/
> > > >
> > > >(He came to a security talk I gave the other day.  w00t!)
> > > >
> > > >
> > > >
> > > >/*
> > > >PLUG: http://plug.org, #utah on irc.freenode.net
> > > >Unsubscribe: http://plug.org/mailman/options/plug
> > > >Don't fear the penguin.
> > > >*/
> > > >
> > >
> > > /*
> > > PLUG: http://plug.org, #utah on irc.freenode.net
> > > Unsubscribe: http://plug.org/mailman/options/plug
> > > Don't fear the penguin.
> > > */
> >
> > --
> >
> > Charles Curley                  /"\    ASCII Ribbon Campaign
> > Looking for fine software       \ /    Respect for open standards
> > and/or writing?                  X     No HTML/RTF in email
> > http://www.charlescurley.com    / \    No M$ Word docs in email
> >
> > Key fingerprint = CE5C 6645 A45A 64E4 94C0  809C FFF6 4C48 4ECD DFDB
> >
> >
> >
> > /*
> > PLUG: http://plug.org, #utah on irc.freenode.net
> > Unsubscribe: http://plug.org/mailman/options/plug
> > Don't fear the penguin.
> > */
> >
> >
> >
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>



More information about the PLUG mailing list