Re: Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



68.50.70.187 is the attackers' IP.

Leif Nixon wrote:
Adam Hubscher <offbeatadam@xxxxxxxxx> writes:

These servers run cPanel and have been updated to the following
specs:

2.6.18-164.el5PAE #1 SMP Thu Sep 3 04:10:44 EDT 2009 i686 i686 i386
GNU/Linux

This seems vulnerable to CVE-2009-3547 and CVE-2009-2695. If SELinux is
enabled, you can trivially get root on these machines if you can run
commands as a logged in user.

I would start by looking very hard at all successful ssh logins the
hours before the known intrusion. It is very possible that some of them
are performed using stolen ssh keys.

I have logs from these servers, if you need other information to
possibly help track this down that is possible. I'm having a hard time
finding the vector for this attack though...

If you could share the IP number of the attacking host, that could be
useful. Does /root/.bash_history contain anything interesting? Is there
anything suspicious in /dev/shm? (There won't be, if the machine has
been rebooted after the intrusion.)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


[Index of Archives]     [Open SSH Unix Development]     [Fedora Users]     [Fedora Desktop]     [Yosemite Backpacking]     [KDE Users]     [Gnome Users]

  Powered by Linux