Just a note, for in the future what I have done is moved SSH to an obscure port way off in the boonies. Never had an SSH attack attempt since doing so. But yeah everyone is correct, wipe that puppy and re-install clean.
On 10/27/06, Daniel <[EMAIL PROTECTED]> wrote:
I have people accessing this server who don't know much about computers and get freaked out when some thing changes. Will they notice something has changed when they use it the first time after the reinstall? On 10/27/06, Charles Curley <[EMAIL PROTECTED]> wrote: > > On Fri, Oct 27, 2006 at 02:49:07PM -0600, Daniel wrote: > > If I backup the /etc/ssh/ folder and reinstall then copy the /etc/ssh/ > > folder back will this be fine? > > No. > > 1) You don't know what's in the existing /etc/ssh directory. > > 2) You don't know what is elsewhere in the system, say, oh, > /root/.ssh. > > 3) Paranoids live longer. > > > > > On 10/27/06, Jason Holt <[EMAIL PROTECTED]> wrote: > > > > > > > > >On Fri, 27 Oct 2006, Jonathan Ellis wrote: > > > > > >> On Fri, 27 Oct 2006 13:54:07 -0600, "Daniel" <[EMAIL PROTECTED]> > > >> said: > > >>> There was a successful ssh attack on one of our boxes. We need to > > >allow > > >>> ssh > > >>> access to those outside the organization. The attacker put a > homegrown > > >>> rootkit on the server. The rootkit was stopped, but since then ssh > has > > >>> been > > >>> logging to /var/log/messages. The relavent configuration files I > know > > >>> about > > >>> (/etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/syslog) are the > same a > > >>> server that I works. /var/log/secure is not getting any > > >messages. What > > >>> can > > >>> I do to restore ssh to its previous state without reinstalling it? > > >> > > >> You should reinstall; if you had a rootkit installed, you have no > idea > > >> what else is compromised. > > > > > >Indeed. And if you don't believe us, ask Ken Thompson: > > > > > >http://www.acm.org/classics/sep95/ > > > > > >(He came to a security talk I gave the other day. w00t!) > > > > > > > > > > > >/* > > >PLUG: http://plug.org, #utah on irc.freenode.net > > >Unsubscribe: http://plug.org/mailman/options/plug > > >Don't fear the penguin. > > >*/ > > > > > > > /* > > PLUG: http://plug.org, #utah on irc.freenode.net > > Unsubscribe: http://plug.org/mailman/options/plug > > Don't fear the penguin. > > */ > > -- > > Charles Curley /"\ ASCII Ribbon Campaign > Looking for fine software \ / Respect for open standards > and/or writing? X No HTML/RTF in email > http://www.charlescurley.com / \ No M$ Word docs in email > > Key fingerprint = CE5C 6645 A45A 64E4 94C0 809C FFF6 4C48 4ECD DFDB > > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > > > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
