Has this issue been resolved? Can we be sure this doesn't lead back to a potentially vulnerable component of openssh?
Can you provide any further information? Did you find the point of entry? (compromise) Greetings, Patrick -- Patrick Geschke Systemadministration Top Arbeitgeber 2011! KiKxxl wurde von TOP JOB als zweitbester Arbeitgeber in Deutschland ausgezeichnet. KiKxxl GmbH Mindener Strasse 127 49084 Osnabrück Tel.: 0541 / 3305 0 Fax : 0541 / 3305 100 Mail: [email protected] WWW : http://www.kikxxl.de Niederlassung Bremen Hermann-Köhl-Straße 1a 28199 Bremen Sitz der Gesellschaft Osnabrück, HRB 18841, Amtsgericht Osnabrück Geschäftsführer Andreas Kremer -----Ursprüngliche Nachricht----- Von: Noah Meyerhans [mailto:[email protected]] Gesendet: Donnerstag, 29. Dezember 2011 20:46 An: [email protected] Betreff: Re: need help with openssh attack On Thu, Dec 29, 2011 at 11:30:27PM +0400, Taz wrote: > Anybody want's to check it out? > I can provide ssh access, if u will give me ssh key. >From the sound of things, we're not going to find much. It's clear that the >attackers have already cleaned up their tracks by editing auth.log, etc. The >detailed forensics needed here would likely take a fair bit of time. Also, >because we'd be working on a compromised host, we likely couldn't even trust >our own tools to give us accurate information. File-system level forensics would be best performed on a block-level image of the disk itself (e.g. made using something like dd). One recommendation I've got for future deployments, if you can allocate the resources for it, is to have a dedicated syslog host. This host should not run any services other than syslogd, including ssh. Any access would need to be via the console. You should be careful to give it a unique root password, and probably don't even bother to create any non-root accounts on it. Configure the rest of your hosts to send their logs to this host. Having a copy of things like auth.log whose integrity can be trusted would be most helpful here. noah -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
