On Fri, 27 Oct 2006 13:54:07 -0600, "Daniel" <[EMAIL PROTECTED]> said: > There was a successful ssh attack on one of our boxes. We need to allow > ssh > access to those outside the organization. The attacker put a homegrown > rootkit on the server. The rootkit was stopped, but since then ssh has > been > logging to /var/log/messages. The relavent configuration files I know > about > (/etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/syslog) are the same a > server that I works. /var/log/secure is not getting any messages. What > can > I do to restore ssh to its previous state without reinstalling it?
You should reinstall; if you had a rootkit installed, you have no idea what else is compromised. -- C++ is history repeated as tragedy. Java is history repeated as farce. --Scott McKay /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
