|Main Archive Page > Month Archives > openssh-unix-dev archives|
F 10 wrote:
> today I find in my logs
> May 6 01:36:14 xxx sshd: Address x.x.x.x maps to xxx.com, but this
> does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
> May 6 01:36:15 xxx sshd: *Accepted publickey* for root from x.x.x.x
> port 55707 ssh2
> May 6 01:36:15 xxx sshd: pam_unix(sshd:session): session opened for
> user root by (uid=0)
> May 6 01:36:15 xxx sshd: subsystem request for sftp
> In the sshd_config was always PermitRootLogin no
> /root/.ssh always was empty
> md5sum /usr/sbin/sshd
> f8c11462e8f2a7bf80e212e06041492b /usr/sbin/sshd
> md5sum sshd #binary from .deb
> f8c11462e8f2a7bf80e212e06041492b sshd
> OS Debian GNU/Linux 6.0
> SSH-2.0-OpenSSH_5.5p1 Debian-6
> How it's possible?
Perhaps 27880 wasn't the normal sshd instance, but run with different
config/a trojaned one?
(that bears the question on how they could launch such hypothetical
'evil sshd' before, though)
openssh-unix-dev mailing list