D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] ssh editing knownhosts

 

On Tue, 10 Aug 2010, Simon Waters wrote:

On 10/08/10 19:21, Gordon Henderson wrote:
's what I do when a site has changed - although I tend to simply delete
the known_hosts file from time to time...
What is the advantage in this?
Lazyness on my part.

I had a whole bunch of remote boxes upgraded/rebuilt which installed new host keys and it started to be a pita to remove all the keys individually.
I discovered a clients server with a hacked version of sshd installed
recently... Still no idea how they got in or got root privs. to make the
changes. Very frustrating.
Hmm, curious I wonder why "sshd", I can understand hacking the "ssh"
client, since then one can harvest passwords and passphrases.

But I'd have thought sshd had few advantages, maybe they were adding a
backdoor, or to configure keylogger when a shell is spawned. Did you
identify the malware?
Yes - big backdoor - it bound to many other ports. Part of their install 
script turned off firealling (iptables -F), and deleted 
/etc/ssh/sshd_config It also installed /sbin/shs - a string dump of that 
only revealed "[Welcome Morfeus]"
(data was copied off and box rebuilt from scratch fwiw, but still no idea 
how they got root access - it wasn't even running any 3rd-party PHP 
scripts)
Gordon

--
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq