RE: possibly compromised redhat 7.2 box UPDATE

["Melissa McGillis" <mcgillim () cis uab edu>]

Checked it out and found the suckit rootkit on that box as well as 4 others.
I'm in the process of reloading them. I don't have any extra drives or
anything to save info for forensic purposes. I've done some googling for the
info but most of what I've found is porn and people with the rootkit. Anyone
know any tech info on it? Or a good place to find detailed instructions on
locking down RH 7.2? (Boss won't let me upgrade or switch to another OS,
hands are tied).
Anything helps,
Melissa
(please note I am not affiliated with UAB, this is just the email I use for
mailing lists.)

-----Original Message-----
From: Brecrost Jones [mailto:brecrost () hotmail com]
Sent: Tuesday, May 25, 2004 3:25 PM
To: mcgillim () cis uab edu
Cc: security-basics () securityfocus com
Subject: RE: possibly compromised redhat 7.2 box


Also, check which SSH protocols sshd is allowing (probably
/etc/ssh/sshd_config, or thereabouts), and which protocol your SSH client is
using (if PuTTY, look under Connection->SSH).  If your sshd or PuTTY has
been upgraded recently, there may be a mismatch.  I think the latest version
of PuTTY was changed to default to SSH protocol version 2, maybe your server
is only allowing version 1 (?).  Or perhaps sshd was upgraded, and defaults
to version 2, but you PuTTY is set to use version 1 only.

Hope that helps.



> -----Original Message-----
> From: Kalpin Erlangga Silaen [mailto:kalpin () solonet co id] Sent: May 23,
> 2004 10:56 PM
> To: Melissa McGillis; Security-Basics
> Subject: Re: possibly compromised redhat 7.2 box
>
>
> Dear Melissa,
> I think this happen because someone (I hope s/he is your Administrator)
> changed/upgraded your sshd. To fix it, try to edit your known_hosts2 at
> ~/.ssh/
> or just remove ~/.ssh by typing : $rm -rf .ssh.
> If you are using windows then remove putty.rnd (if you are using putty)
> from
> root directory (please read the manual).
>
>
> I hope this will help you
>
>
> Regards,
>
>
>
> Kalpin Erlangga S
>
> ----- Original Message -----
> From: "Melissa McGillis" <mcgillim () cis uab edu>
> To: "Security-Basics" <security-basics () securityfocus com>
> Sent: Friday, May 21, 2004 2:17 AM
> Subject: possibly compromised redhat 7.2 box
>
>
> > Hello,
> >
> > I have a redhat 7.2 server that stopped accepting my ssh login. I can
> still
> > use my login at the terminal. I also noticed that the host key changed.
> My
> > only guess at this point is that the box was probably compromised. Any
> good
> > software out there to help me figure it out? Any other ideas as to what
> > would cause this?
> > Anything helps,
> > Melissa
> > (THIS IS IN NO WAY AFFILIATED WITH UAB. It's just the address I use for
> > lists.)

_________________________________________________________________
MSN Premium with Virus Guard and Firewall* from McAfee® Security : 2 months
FREE*
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=htt
p://hotmail.com/enca&HL=Market_MSNIS_Taglines


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------