Security Basics mailing list archives
RE: possibly compromised redhat 7.2 box UPDATE
From: "Melissa McGillis" <mcgillim () cis uab edu>
Date: Wed, 26 May 2004 10:49:05 -0500
Checked it out and found the suckit rootkit on that box as well as 4 others. I'm in the process of reloading them. I don't have any extra drives or anything to save info for forensic purposes. I've done some googling for the info but most of what I've found is porn and people with the rootkit. Anyone know any tech info on it? Or a good place to find detailed instructions on locking down RH 7.2? (Boss won't let me upgrade or switch to another OS, hands are tied). Anything helps, Melissa (please note I am not affiliated with UAB, this is just the email I use for mailing lists.) -----Original Message----- From: Brecrost Jones [mailto:brecrost () hotmail com] Sent: Tuesday, May 25, 2004 3:25 PM To: mcgillim () cis uab edu Cc: security-basics () securityfocus com Subject: RE: possibly compromised redhat 7.2 box Also, check which SSH protocols sshd is allowing (probably /etc/ssh/sshd_config, or thereabouts), and which protocol your SSH client is using (if PuTTY, look under Connection->SSH). If your sshd or PuTTY has been upgraded recently, there may be a mismatch. I think the latest version of PuTTY was changed to default to SSH protocol version 2, maybe your server is only allowing version 1 (?). Or perhaps sshd was upgraded, and defaults to version 2, but you PuTTY is set to use version 1 only. Hope that helps.
-----Original Message----- From: Kalpin Erlangga Silaen [mailto:kalpin () solonet co id] Sent: May 23, 2004 10:56 PM To: Melissa McGillis; Security-Basics Subject: Re: possibly compromised redhat 7.2 box Dear Melissa, I think this happen because someone (I hope s/he is your Administrator) changed/upgraded your sshd. To fix it, try to edit your known_hosts2 at ~/.ssh/ or just remove ~/.ssh by typing : $rm -rf .ssh. If you are using windows then remove putty.rnd (if you are using putty) from root directory (please read the manual). I hope this will help you Regards, Kalpin Erlangga S ----- Original Message ----- From: "Melissa McGillis" <mcgillim () cis uab edu> To: "Security-Basics" <security-basics () securityfocus com> Sent: Friday, May 21, 2004 2:17 AM Subject: possibly compromised redhat 7.2 boxHello, I have a redhat 7.2 server that stopped accepting my ssh login. I canstilluse my login at the terminal. I also noticed that the host key changed.Myonly guess at this point is that the box was probably compromised. Anygoodsoftware out there to help me figure it out? Any other ideas as to what would cause this? Anything helps, Melissa (THIS IS IN NO WAY AFFILIATED WITH UAB. It's just the address I use for lists.)
_________________________________________________________________ MSN Premium with Virus Guard and Firewall* from McAfee® Security : 2 months FREE* http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=htt p://hotmail.com/enca&HL=Market_MSNIS_Taglines --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- possibly compromised redhat 7.2 box Melissa McGillis (May 21)
- Re: possibly compromised redhat 7.2 box Kalpin Erlangga Silaen (May 25)
- <Possible follow-ups>
- Re: possibly compromised redhat 7.2 box Eric Gunnett (May 21)
- Re: possibly compromised redhat 7.2 box James Turnbull (May 25)
- RE: possibly compromised redhat 7.2 box Brecrost Jones (May 26)
- RE: possibly compromised redhat 7.2 box UPDATE Melissa McGillis (May 27)
- Re: possibly compromised redhat 7.2 box UPDATE - harden Alvin Oga (May 27)
- Re: possibly compromised redhat 7.2 box James Kelly (May 27)
- RES: possibly compromised redhat 7.2 box Nelson B. dos Santos Neto (May 27)
- RE: possibly compromised redhat 7.2 box UPDATE Melissa McGillis (May 27)