Re: ssh2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



roland wrote:
On Sat, 20 Sep 2008 20:48:47 +0200, Bill Davidsen <davidsen@xxxxxxx> wrote:

The worrying thing is that since the sshd now asks for ssh2 protocol only, there is a new sshd operating, one you didn't install, and one which may be copying keystroke data (login names and passwords) to some unauthorized other site. I can't say that's happening, but this has all of the characteristics of that. It could also be caused by an upgrade of sshd, although I read your posts to say that only you could do that.

It would be useful to use 'ps' to see which sshd is running, and to do an 'ls -l' and md5sum on the executable and post the values here. Also a telnet to the ssh port usually gives the protocol and sshd version, although that can be faked. Post that if you wish

You will find it in  annex

Thanks again for your time

From the attachment:

> telnet localhost 22
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> SSH-2.0-SSH-1.99-OpenSSH_3.5p1

That is a *very* old version of OpenSSH, nothing you got from Fedora, I believe. I think it's something which the hacker installed, and a hacked sshd would be the perfect place to capture login and password information.

> service sshd status
> As you can see it doesn't give sshd but this crazy characters, in both cases
>
> 1628 ?        S      0:02 ?a?@°Ó?@?
> 22871 ?        S      0:00 ?a?@°Ó?@?

Just how old a Fedora do you have? This doesn't look at all as I would expect. You might do "ls -lc /bin/ps" and see if that was recently replaced as well. However:

> ls -l /usr/sbin/sshd
> -rwxr-xr-x    1 root     root      3963123 sep 16 00:03 /usr/sbin/sshd

This looks as if the sshd was replaced a few days ago, shortly before your first message to the list. That makes it even more likely that passwords are being captured, perhaps even entire connect sessions.

It looks as if the machine has been totally penetrated, and of course if you don't use different account names and passwords for other machines they have as well.

--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux