I use fail2ban but the fact is there absolutly no records of connections in auth.logI am sure ssh is used because after i blocked ssh port at all "perl" process does not start anymore.Besides on different machines i use different ports and in all environ files of the perl process in /proc there is a right port written. It shoud be also mentioned that SSLVL variable is always 1, while i think it should be 2. On Thu, Dec 29, 2011 at 7:47 PM, Taz <[email protected]> wrote: > of course, i've double changed all password and regenerated ssh keys. > > On Thu, Dec 29, 2011 at 7:44 PM, Taz <[email protected]> wrote: >> http://security.stackexchange.com/questions/10202/perl-script-rootkit >> >> here it is, all the details. please check out >> >> On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong <[email protected]> wrote: >>> If you are absolutely sure that they gained root access then there is no >>> other alternative then to kill the internet on those machines. >>> And then you should back up all the data you want to preserve so that you >>> can reinstall those machines safely. There is no telling if they installed >>> another SSH server or other nasty things like rootkits. >>> Most attackers install their own SSH server so that any changes your make to >>> patch your security holes aren't putting them out of business. >>> Unless you have aide installed and made regular checksums of all the files >>> and configs then you have no idea if anything is changed since the attack. >>> You can also try rkhunter and chkrootkit to find any rootkits on your >>> system, but they aren't conclusive. >>> >>> The only way to be sure that you are in the clear is a total new start on >>> all the affected machines. >>> >>> >>> PS: We all got it now, fail2ban is a great tool ;-) >>> >>> >>> >>> >>> On Thu, Dec 29, 2011 at 15:04, Taz <[email protected]> wrote: >>>> >>>> Hello, we've got various debian servers, about 15, with different >>>> versions. All of them have been attacked today and granted root >>>> access. >>>> Can anybody help? We can give ssh access to attacked machine, it seems >>>> to be serious ssh vulnerability. >>>> >>>> How can i contact openssh mnt? >>>> >>>> Thank you. >>>> >>>> >>>> -- >>>> To UNSUBSCRIBE, email to [email protected] >>>> with a subject of "unsubscribe". Trouble? Contact >>>> [email protected] >>>> Archive: >>>> http://lists.debian.org/CA+0W4N=at0esj+y3d8drzw8u+s6tcr6bcuha+w+u5rl-80v...@mail.gmail.com >>>> >>> >>> >>> >>> -- >>> Met vriendelijke groet, >>> Kees de Jong >>> >>> >>> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is >>> uitsluitend bestemd voor de geadresseerde(n). >>> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te >>> gebruiken en de afzender direct te informeren door het bericht te >>> retourneren. >>> -- >>> The information contained in this message may be confidential and is >>> intended to be exclusively for the addressee(s). >>> Should you receive this message unintentionally, please do not use the >>> contents herein and notify the sender immediately by return e-mail. >>>
-- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/CA+0W4Nmh1iUJ3u=2uxp0hhzqw5-j03fdsoch1w1adosty3c...@mail.gmail.com
