2009/11/12 Adam Hubscher <offbeatadam@xxxxxxxxx>: > Early (around midnight-1am CST) this morning we had a widespread attack via > an unknown vector. In the attack, the only thing that I can find is the > following (IP blacked out, although it is the attackers' address): A couple of colleagues at UK universities have reported seeing things similar to the following (they run RHEL5/CentOS/Scientific Linux) :- A user account was used to log in from two sites: 195.22.101.220 (server14.Xuna.nl) 195.22.100.126 (server12.xuna.nl) On the compromised systems (RHEL5) the ssh and sshd binaries were replaced with ones that logged username and plain text password information to a file called /etc/X11/fonts/misc/s1 The new ssh and sshd had the dates set to the originals, but they didn't have a and i attributes set. Their new sizes were 334768 /usr/bin/ssh 445512 /usr/sbin/sshd The output of 'strings /usr/sbin/sshd' included the following: /etc/X11/fonts/misc/S1 /etc/X11/fonts/misc/s1 /etc/X11/fonts/misc/s1.tmp rm -rf /etc/X11/fonts/misc/s1; cp /etc/X11/fonts/misc/s1.tmp /etc/X11/fonts/misc/s1; chmod o+w /etc/X11/fonts/misc/s1; rm -rf /etc/X11/fonts/misc/s1.tmp /usr/X11R6/bin/xauth no-X11-forwarding and 'strings /usr/sbin/ssh' included: /etc/X11/fonts/misc/S1 /etc/X11/fonts/misc/s1 Where a compromised system had had the openssh-server and openssh-clients rpms updated after the compromise, 'rpm -V' on openssh-server and openssh-clients looked ok (but the /etc/X11/fonts/misc/s1 file still existed). Regards, Mark
