ssh2

roland roland at cat.be
Wed Sep 24 07:04:02 UTC 2008 

On Mon, 22 Sep 2008 15:47:26 +0200, Bill Davidsen <davidsen at tmr.com> wrote:

> roland wrote:
>> On Sat, 20 Sep 2008 20:48:47 +0200, Bill Davidsen <davidsen at tmr.com>  
>> wrote:
>>
>>> The worrying thing is that since the sshd now asks for ssh2 protocol  
>>> only, there is a new sshd operating, one you didn't install, and one  
>>> which may be copying keystroke data (login names and passwords) to  
>>> some unauthorized other site. I can't say that's happening, but this  
>>> has all of the characteristics of that. It could also be caused by an  
>>> upgrade of sshd, although I read your posts to say that only you could  
>>> do that.
>>>
>>> It would be useful to use 'ps' to see which sshd is running, and to do  
>>> an 'ls -l' and md5sum on the executable and post the values here. Also  
>>> a telnet to the ssh port usually gives the protocol and sshd version,  
>>> although that can be faked. Post that if you wish
>>  You will find it in  annex
>>  Thanks again for your time
>
>  From the attachment:
>
>  > telnet localhost 22
>  > Trying 127.0.0.1...
>  > Connected to localhost.
>  > Escape character is '^]'.
>  > SSH-2.0-SSH-1.99-OpenSSH_3.5p1
>
> That is a *very* old version of OpenSSH, nothing you got from Fedora, I  
> believe. I think it's something which the hacker installed, and a hacked  
> sshd would be the perfect place to capture login and password  
> information.
>
>  > service sshd status
>  > As you can see it doesn't give sshd but this crazy characters, in  
> both cases
>  >
>  > 1628 ?        S      0:02 ?a?@°Ó?@?
>  > 22871 ?        S      0:00 ?a?@°Ó?@?
>
> Just how old a Fedora do you have? This doesn't look at all as I would  
> expect. You might do "ls -lc /bin/ps" and see if that was recently  
> replaced as well. However:
>
>  > ls -l /usr/sbin/sshd
>  > -rwxr-xr-x    1 root     root      3963123 sep 16 00:03 /usr/sbin/sshd
>
> This looks as if the sshd was replaced a few days ago, shortly before  
> your first message to the list. That makes it even more likely that  
> passwords are being captured, perhaps even entire connect sessions.
>
> It looks as if the machine has been totally penetrated, and of course if  
> you don't use different account names and passwords for other machines  
> they have as well.
>
This is an old version of redhat workstation, just before fedora was  
released.
-r-xr-xr-x    1 root     root        69772 feb 20  2003 /bin/ps
-rw-r--r--    1 root     root           33 feb 26  2003 /etc/redhat-release
  more /etc/redhat-release
Red Hat Linux release 9 (Shrike)

I just wonder why this person/hacker is still trying to login with root  
and other names. So he must have been unsuccessful the first time. Now  
root login is blocked and the root passwd is  changed.

 From what you are saying I can understand that I should reinstall the  
server, even if he is not successfully login in again?



roland

More information about the fedora-list mailing list