> At the time of the compromise I can see in each > servers sshd logs an entry like the following: > > Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session > opened for user root by (uid=0) > Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session > closed for user root >
Have you checked the integrity of sshd binary? It could be replaced with a copy that "forgets" to log so you don't get the sshd logs (possibly after receiving a specified password). However the above logs are from pam (pam_unix does the logging on behalf of sshd) so it's not possible to disable this in the sshd binary itself. cheers, ν.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
