On Tue, 16 Sep 2008 22:19:51 +0200, Nifty Fedora Mitch
<niftyfedora@xxxxxxxxxxxx> wrote:
On Tue, Sep 16, 2008 at 11:30:14AM +0200, roland wrote:
I am using a terminalemulator Anita to login to a server, who validates
the ssh connection with 3DES Cipher.
Now this server is hacked, somebody entered with the root user.
Suddenly I have ssh2
So root has been compromized?
How do you know?
I saw the login in /var/log/messages
And suddenly I had a dir ssh2 in /root which is not normal I think. One
only get it when generating a rsa or dsa key, isn't it?
So now I get the following message, when trying to login:
dsa_verify failed for server_host_key
I see the directory .ssh2 in the /root directory, but not in any $HOME
dir
How can I stop ssh2 verifying?
Or is there something else I can do?
Was Anita compromised?
No, because I have the same problem here from out of Greece
Was Anita updated?
No, why should I, it always worked, and this version of mine works with
all other clients
Was Anita changed?
No, same answer
I have to say, somerthing akward is going on there, because all
workstations failed to connect Anita, except one.
Was the author of Anita contacted?
No
Anita for windows?
yes
Anita for the web?
Is Anita connecting to sshd on the linux host in the same way that Putty
does?
How can I tell? ssh is not a thing i could say I master.
Can you login and 'su -' to root......
yes
I changed the password and know this guy is trying to login again, but
fails. Apperently he was not ready, but maybe changed the key.
If so you can look at the logs?
Do the logs make sense?
Yes, like I sed above.
dsa_verify failed for server_host_key tells me that a key was changed
not that the host was compromized... If you update the key the
old key needs to be removed.... F
can you tell me what the best way is to generate those keys, because my
last experience with this failed.
Is it possible that the night shift upgraded to ssh2 or added it?
I am the only one.
Is it possible that the night shift added (incorrectly) their own key?
-- php, perl, java, etc...
like above
As others indicated -- IF it has been HACKED
SHUT IT DOWN, pull the plug. The legal liability
of keeping a hacked system up and running
is large.
As I sed, I will do this when I'm back from holidays.
Are the keys in the .ssh2 dir telling you anything...
??.
If .ssh2 does not contain your keys -- rename/remove it.
Do the keys in the .ssh2 dir belong to anyone... someone you can call.
Sometimes the comments are informative and id a host or person.
It might be that someone knows what was done in your absence.
Who else has pass words or access to the systems?
those who could know about the root password don't know anything about
linux or others.
How does ssh checks keys. I am asking this because anita fails before she
knows who is login in. So if she takes the login of windows which is mine,
she would login or check in $HOME/.ssh. And in $HOME there is no .ssh2, so
probably there will be checked in /etc/ssh/ for dsa and rsa keys. So if I
remove those keys, would that change it?
Thanks again
roland
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines