Hello,
there are few chances of replacing sshd without being root. In your
place i would install every server new.
I think, he spied out passwords and maybe got root-Passwords in this
way. Possibly he has even accessed servers where you didn't find him and
left backdoors there. (manipulation of ~/.ssh/authorized_keys, another
user with userid 0, replaced software, replaced suid-accesses, added
software, ...)
When you reinstall your servers think of not using Login+Password but
public-private key for user authentication.
You can even forward such a combination. But be aware, that if key
forwarding is enabled it can be used by attackers too.
You should then protect the private key by password and use it only from
trusted machines.
Avoid keyforwarding unless you need it, for instance when copying files
from one server to the other it could be useful.
Lock your trusted working computer always when leaving it and think of
encrypting the filesystem. (Be aware that a local attacker can install a
password sniffer even if you encrypted your system partition)
good luck and think of not accessing the new installed computers from
old ones ...
Regards,
Guntram
Johann Spies schrieb:
On Mon, Jun 01, 2009 at 07:23:27AM -0400, Michael Stone wrote:
Yes, that's a typical location for intruders to drop files. Easiest
thing to do is reinstall after thinking about how the compromise may
have occurred. (Did you update regularly, including kernel updates? Did
all accounts have strong passwords? Do you have web applications not
managed by the system that weren't being updated? etc.)
We had a serious situation on this computer and several others. Ssh
and sshd were replaced by the cracker's own version and in once case
nearly all the pam-related stuff were replaced also. Through this
customised versions of ssh the cracker harvested every password that
was used during ssh logins and ssh sessions.
We are winning the battle and will in the next few weeks try do the
analysis of what went wrong.
Regards
Johann
--
Guntram Trebs
freier Programmierer und Administrator
g...@trebs.net
+49 (30) 42 80 61 55
+49 (178) 686 77 55
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
