RES: possibly compromised redhat 7.2 box

["Nelson B. dos Santos Neto" <nelson () engesis com>]

        You should try Tripwire (www.tripwire.org). It won't help you
now but it will prevent from happening again.

Nelson

-----Mensagem original-----
De: Brecrost Jones [mailto:brecrost () hotmail com] 
Enviada em: terça-feira, 25 de maio de 2004 17:25
Para: mcgillim () cis uab edu
Cc: security-basics () securityfocus com
Assunto: RE: possibly compromised redhat 7.2 box

Also, check which SSH protocols sshd is allowing (probably 
/etc/ssh/sshd_config, or thereabouts), and which protocol your SSH
client is 
using (if PuTTY, look under Connection->SSH).  If your sshd or PuTTY has

been upgraded recently, there may be a mismatch.  I think the latest
version 
of PuTTY was changed to default to SSH protocol version 2, maybe your
server 
is only allowing version 1 (?).  Or perhaps sshd was upgraded, and
defaults 
to version 2, but you PuTTY is set to use version 1 only.

Hope that helps.



> -----Original Message-----
> From: Kalpin Erlangga Silaen [mailto:kalpin () solonet co id] Sent: May
23, 
> 2004 10:56 PM
> To: Melissa McGillis; Security-Basics
> Subject: Re: possibly compromised redhat 7.2 box
>
>
> Dear Melissa,
> I think this happen because someone (I hope s/he is your Administrator)
> changed/upgraded your sshd. To fix it, try to edit your known_hosts2 at
> ~/.ssh/
> or just remove ~/.ssh by typing : $rm -rf .ssh.
> If you are using windows then remove putty.rnd (if you are using putty)

> from
> root directory (please read the manual).
>
>
> I hope this will help you
>
>
> Regards,
>
>
>
> Kalpin Erlangga S
>
> ----- Original Message -----
> From: "Melissa McGillis" <mcgillim () cis uab edu>
> To: "Security-Basics" <security-basics () securityfocus com>
> Sent: Friday, May 21, 2004 2:17 AM
> Subject: possibly compromised redhat 7.2 box
>
>
> > Hello,
> >
> > I have a redhat 7.2 server that stopped accepting my ssh login. I
can
> still
> > use my login at the terminal. I also noticed that the host key
changed. 
> My
> > only guess at this point is that the box was probably compromised.
Any
> good
> > software out there to help me figure it out? Any other ideas as to
what
> > would cause this?
> > Anything helps,
> > Melissa
> > (THIS IS IN NO WAY AFFILIATED WITH UAB. It's just the address I use
for
> > lists.)

_________________________________________________________________
MSN Premium with Virus Guard and Firewall* from McAfee® Security : 2
months 
FREE*   
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU
=http://hotmail.com/enca&HL=Market_MSNIS_Taglines


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------