Successful SSH Attack - Need help cleaning up

Jason Holt jason at
Fri Oct 27 14:28:42 MDT 2006

On Fri, 27 Oct 2006, Jonathan Ellis wrote:

> On Fri, 27 Oct 2006 13:54:07 -0600, "Daniel" <teletautala at>
> said:
>> There was a successful ssh attack on one of our boxes.  We need to allow
>> ssh
>> access to those outside the organization.  The attacker put a homegrown
>> rootkit on the server.  The rootkit was stopped, but since then ssh has
>> been
>> logging to /var/log/messages.  The relavent configuration files I know
>> about
>> (/etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/syslog) are the same a
>> server that I works.  /var/log/secure is not getting any messages.  What
>> can
>> I do to restore ssh to its previous state without reinstalling it?
> You should reinstall; if you had a rootkit installed, you have no idea
> what else is compromised.

Indeed.  And if you don't believe us, ask Ken Thompson:

(He came to a security talk I gave the other day.  w00t!)

More information about the PLUG mailing list