[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tue, 10 Aug 2010, Simon Waters wrote:
On 10/08/10 19:21, Gordon Henderson wrote:'s what I do when a site has changed - although I tend to simply delete the known_hosts file from time to time...What is the advantage in this?
Lazyness on my part.I had a whole bunch of remote boxes upgraded/rebuilt which installed new host keys and it started to be a pita to remove all the keys individually.
I discovered a clients server with a hacked version of sshd installed recently... Still no idea how they got in or got root privs. to make the changes. Very frustrating.Hmm, curious I wonder why "sshd", I can understand hacking the "ssh" client, since then one can harvest passwords and passphrases. But I'd have thought sshd had few advantages, maybe they were adding a backdoor, or to configure keylogger when a shell is spawned. Did you identify the malware?
Yes - big backdoor - it bound to many other ports. Part of their install script turned off firealling (iptables -F), and deleted /etc/ssh/sshd_config It also installed /sbin/shs - a string dump of that only revealed "[Welcome Morfeus]"
(data was copied off and box rebuilt from scratch fwiw, but still no idea how they got root access - it wasn't even running any 3rd-party PHP scripts)
Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq