We've had a number of hacked boxen recently. It appears a certain person (Romanian we think) is specifically targeting us and our customers (looks like he hit a machine and found connections from others in their logs, went from there).
We have no idea how he's getting in, but we've got his rootkit fairly nailed down (he uses a few slightly different ones). We've caught a few systems as he was breaking in (we have .bash_history files and the site he downloads his rootkits from). The part that bothers me is that all of these systems were updated to the newest versions on debian.security.org (if apt-get was doing its job) and firewalled down to just the ports we needed (22, 25, 53, 80). My boss is thinking they might have some sort of crack for OpenSSH (only service I can say all of these have in common) and he's considering trying a switch to the nonfree one just to see if it helps. While I don't like this (OpenSSH is open and it should be that way), has anyone else had this kind of experience? Is there some big hack I should know about? I've checked CERT and the SANS list. Both of them were helpful, but most of the answers said "run the newest version of X", which I have assumed apt-get fixed (in stable at least). I mean, some versions were older, but I had heard most of them had backported fixes. Is this happening to anyone else? I'm at a complete loss as to how to explain this one, help would be appreciated. The only comforting thought is that I can't imaging Redhat would have done any better. Jayson Vantuyl Computing Edge, Inc.
