I have people accessing this server who don't know much about computers and get freaked out when some thing changes. Will they notice something has changed when they use it the first time after the reinstall?
On 10/27/06, Charles Curley <[EMAIL PROTECTED]> wrote:
On Fri, Oct 27, 2006 at 02:49:07PM -0600, Daniel wrote: > If I backup the /etc/ssh/ folder and reinstall then copy the /etc/ssh/ > folder back will this be fine? No. 1) You don't know what's in the existing /etc/ssh directory. 2) You don't know what is elsewhere in the system, say, oh, /root/.ssh. 3) Paranoids live longer. > > On 10/27/06, Jason Holt <[EMAIL PROTECTED]> wrote: > > > > > >On Fri, 27 Oct 2006, Jonathan Ellis wrote: > > > >> On Fri, 27 Oct 2006 13:54:07 -0600, "Daniel" <[EMAIL PROTECTED]> > >> said: > >>> There was a successful ssh attack on one of our boxes. We need to > >allow > >>> ssh > >>> access to those outside the organization. The attacker put a homegrown > >>> rootkit on the server. The rootkit was stopped, but since then ssh has > >>> been > >>> logging to /var/log/messages. The relavent configuration files I know > >>> about > >>> (/etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/syslog) are the same a > >>> server that I works. /var/log/secure is not getting any > >messages. What > >>> can > >>> I do to restore ssh to its previous state without reinstalling it? > >> > >> You should reinstall; if you had a rootkit installed, you have no idea > >> what else is compromised. > > > >Indeed. And if you don't believe us, ask Ken Thompson: > > > >http://www.acm.org/classics/sep95/ > > > >(He came to a security talk I gave the other day. w00t!) > > > > > > > >/* > >PLUG: http://plug.org, #utah on irc.freenode.net > >Unsubscribe: http://plug.org/mailman/options/plug > >Don't fear the penguin. > >*/ > > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ -- Charles Curley /"\ ASCII Ribbon Campaign Looking for fine software \ / Respect for open standards and/or writing? X No HTML/RTF in email http://www.charlescurley.com / \ No M$ Word docs in email Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
