On Jan 23, 2012, at 12:19 PM, Yves Dorfsman wrote: > That file is definitely on my current Ubuntu box, but it is only writable by > root. I can't think of any reason why access to an include file would be > necessary for a binary. It definitely does sound like the version of ssh you > are running has been compromised, and that they are just using an existing > file for a different purpose in order not to raise any suspicion.
Yeah I've seen hacks like that before, though long ago. the standard SSH rootkits I had fun cleaning up usually also compromised various utilities that would let you otherwise see them in action, like lsof and ps and whatnot. Check those to see if their change times are different, and all the same as each other, and try reinstalling them. --- Asst Coach, Lexington Debate: http://www.lexdebate.org Tournament Tab Software: http://www.tabroom.com _______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
