SSH newkeys.

[Paul Halliday <paul.halliday () gmail com>]

I had a host that was compromised over the weekend and I am still
scratching my head a bit on what went on.

Before the box was rooted there were a bunch of these:

46      2009-12-06 09:27:55.644224      172.16.0.15     22      92.240.75.6     36332   SSHv2   Server:
New Keys
47      2009-12-06 09:27:55.799383      92.240.75.6     36332   172.16.0.15     22      SSHv2   Client:
New Keys

These occurred about every 3-4 seconds. In total less than 500 of
these before another host swept in with the correct key.
There was no previous scans to this host and it was a relatively new install.

I have played with a couple different ssh scanners and I can't
duplicate this pattern.

I am reading: http://www.snailbook.com/docs/transport.txt between 7.3 and 8.

This isn't a user/password exchange.

Can anyone shed some light on what was going on?

Thanks.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------