On 10/27/06, Daniel <[EMAIL PROTECTED]> wrote:
There was a successful ssh attack on one of our boxes. We need to allow ssh access to those outside the organization. The attacker put a homegrown rootkit on the server. The rootkit was stopped, but since then ssh has been logging to /var/log/messages. The relavent configuration files I know about (/etc/ssh/sshd_config, /etc/ssh/ssh_config, /etc/syslog) are the same a server that I works. /var/log/secure is not getting any messages. What can I do to restore ssh to its previous state without reinstalling it?
You MUST reinstall. You don't know what other files have been compromised unless you have MD5sums of every file on your system stored off site. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
