ssh2

[Nifty Fedora Mitch]

On Tue, Sep 16, 2008 at 11:30:14AM +0200, roland wrote:
>
> I am using a terminalemulator Anita to login to a server, who validates  
> the ssh connection with 3DES Cipher.
>
> Now this server is hacked, somebody entered with the root user.
> Suddenly I have ssh2

So root has been compromized?
How do you know?

> So now I get the following message, when trying to login:
> dsa_verify failed for server_host_key
>
> I see the directory .ssh2 in the /root directory, but not in any $HOME dir
>
> How can I stop ssh2 verifying?
>
> Or is there something else I can do?

Was Anita compromised?
Was Anita updated?
Was Anita changed?
Was the author of Anita contacted?
Anita for windows?
Anita for the web?

Is Anita connecting to sshd on the linux host in the same way that Putty does?

Can you login and 'su -' to root......

If so you can look at the logs?
Do the logs make sense?

dsa_verify failed for server_host_key tells me that a key was changed
not that the host was compromized... If you update the key the 
old key needs to be removed....  F

Is it possible that the night shift upgraded to ssh2 or added it?
Is it possible that the night shift added (incorrectly) their own key?
-- php, perl, java, etc...

As others indicated -- IF it has been HACKED
SHUT IT DOWN, pull the plug.  The legal liability
of keeping a hacked system up and running 
is large.

Are the keys in the .ssh2 dir telling you anything....

If .ssh2 does not contain your keys -- rename/remove it.

Do the keys in the .ssh2 dir belong to anyone... someone you can call.
Sometimes the comments are informative and id a host or person.

It might be that someone knows what was done in your absence.
Who else has pass words or access to the systems?


-- 
	T o m  M i t c h e l l 
	Found me a new hat, now what?