Successful SSH Attack - Need help cleaning up

Chris Carey chris.carey at
Fri Oct 27 14:57:57 MDT 2006

On 10/27/06, Daniel <teletautala at> wrote:
> There was a successful ssh attack on one of our boxes.  We need to allow ssh
> access to those outside the organization.  The attacker put a homegrown
> rootkit on the server.  The rootkit was stopped, but since then ssh has been
> logging to /var/log/messages.  The relavent configuration files I know about
> (/etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/syslog) are the same a
> server that I works.  /var/log/secure is not getting any messages.  What can
> I do to restore ssh to its previous state without reinstalling it?

You MUST reinstall. You don't know what other files have been
compromised unless you have MD5sums of every file on your system
stored off site.

More information about the PLUG mailing list