md5sum`s of sshd files seems to be same comparing to non infected system. I do not have any /etc/xinet.d .sshd_config are defaults ones.I will try to run find / -mtime -5 but i guess nothing interesting will come.
Any another ideas? I still can provide ssh access. On Thu, Dec 29, 2011 at 8:42 PM, Todd Wheeler <[email protected]> wrote: > I'm wondering based on this if there is anything in /etc/xinetd.d or if > there is anything in /etc/ssh/sshd_config that would point you in the right > direction. Sounds like something is spawning based on a connection to port > 22. (if OpenSSH itself wasn't exploited) > > Times like this: I've found that it helps to use the 'find' command and > print a list of files modified within the last 'x' days. ('find / -mtime -5' > will show last 5 days, obviously change the '5' for shorter windows) That > may indicate anything that has been replaced system-wise and also point you > in the right direction. I also find that if a system has been exploited, > most automated scripts will chattr the files to make them slightly more > difficult for someone that doesn't understand that - there may be a way to > search for these directly, but I can't remember off hand. It's just another > signature of automated rootkits, though. > > Good luck! > > On Dec 29, 2011, at 11:32 AM, Taz wrote: > > Some of them yes, some of them no. Almost every server has the only > nginx installed without PHP or Perl backend with the simple location / > that just serves static files.perl script was launched from ssh. I am > sure. How could you describe then such environ file of the perl PID? > Where it is clearly mentioned that command was launched throgh ssh on > SSH port from a concrete IP that does not belong to me . -j DROP rule > on 22 port prevented that script to appear again but i`s not a > solution. > > > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/ca+0w4nntrk6ysrqpwgu-sq9phde+k76747qnn-phi52kfcf...@mail.gmail.com
