ssh2

[roland]

On Tue, 16 Sep 2008 22:19:51 +0200, Nifty Fedora Mitch  
<niftyfedora at niftyegg.com> wrote:

> On Tue, Sep 16, 2008 at 11:30:14AM +0200, roland wrote:
>>
>> I am using a terminalemulator Anita to login to a server, who validates
>> the ssh connection with 3DES Cipher.
>>
>> Now this server is hacked, somebody entered with the root user.
>> Suddenly I have ssh2
>
> So root has been compromized?
> How do you know?
>
I saw the login in /var/log/messages
And suddenly I had a dir  ssh2 in /root which is not normal I think. One  
only get it when generating a rsa or dsa key, isn't it?

>> So now I get the following message, when trying to login:
>> dsa_verify failed for server_host_key
>>
>> I see the directory .ssh2 in the /root directory, but not in any $HOME  
>> dir
>>
>> How can I stop ssh2 verifying?
>>
>> Or is there something else I can do?
>
> Was Anita compromised?
No, because I have the same problem here from out of Greece

> Was Anita updated?
No, why should I, it always worked, and this version of mine works with  
all other clients

> Was Anita changed?
No, same answer

I have to say, somerthing akward is going on there, because all  
workstations failed to connect Anita, except one.

> Was the author of Anita contacted?
No
> Anita for windows?
yes
> Anita for the web?
>
> Is Anita connecting to sshd on the linux host in the same way that Putty  
> does?
>
How can I tell? ssh is not a thing i could say I master.

> Can you login and 'su -' to root......
yes

I changed the password and know this guy is trying to login again, but  
fails. Apperently he was not ready, but maybe changed the key.
>
> If so you can look at the logs?
> Do the logs make sense?
Yes, like I sed above.

>
> dsa_verify failed for server_host_key tells me that a key was changed
> not that the host was compromized... If you update the key the
> old key needs to be removed....  F
>
can  you tell me what the best way is to generate those keys, because my  
last experience with this failed.

> Is it possible that the night shift upgraded to ssh2 or added it?
I am the only one.

> Is it possible that the night shift added (incorrectly) their own key?
> -- php, perl, java, etc...
like above
>
> As others indicated -- IF it has been HACKED
> SHUT IT DOWN, pull the plug.  The legal liability
> of keeping a hacked system up and running
> is large.
As I sed, I will do this when I'm back from holidays.
>
> Are the keys in the .ssh2 dir telling you anything...
??.
>
> If .ssh2 does not contain your keys -- rename/remove it.
>
> Do the keys in the .ssh2 dir belong to anyone... someone you can call.
> Sometimes the comments are informative and id a host or person.
>
> It might be that someone knows what was done in your absence.
> Who else has pass words or access to the systems?
those who could know about the root password don't know anything about  
linux or others.
>
>
How does ssh checks keys. I am asking this because anita fails before she  
knows who is login in. So if she takes the login of windows which is mine,  
she would login or check in $HOME/.ssh. And in $HOME there is no .ssh2, so  
probably there will be checked in /etc/ssh/ for dsa and rsa keys. So if I  
remove those keys, would that change it?

Thanks again
roland