>>>>> "Paul" == Paul Heinlein <[email protected]> writes:
Paul> On Thu, 5 Mar 2009, Russell Senior wrote: >> Even more disturbingly, su took me right to a root prompt. The >> /etc/passwd and /etc/shadow appear to be intact. I immediately >> assumed the worst and unplugged it from the network, booted a >> live-cd and did some trolling through the filesystems. I found >> evidence in /var/log/auth.log that two or three ssh-knockers had >> logged in as root, but within a minute had logged out again. I >> disregarded all the cool forensics stuff I learned at PLUG a month >> ago. Paul> How old is this Debian box? Have you run ssh-vulnkey to make Paul> sure your system and user keys aren't predictable ala Paul> CVE-2008-0166: Paul> http://www.debian.org/security/2008/dsa-1571 It doesn't get as much attention as my other boxes, but I am pretty sure I dealt with that last spring (or whenever it was). It is possible I missed something. Running ssh-vulnkey gives me some "Unknown" which is weird, since the openssh-blacklist package is installed. -- Russell Senior ``I have nine fingers; you have ten.'' [email protected] _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
