openssh-unix-dev May 2011 archive
Main Archive Page > Month Archives  > openssh-unix-dev archives
openssh-unix-dev: Re: hacking attempt

Re: hacking attempt

From: Ángel González <keisial_at_nospam>
Date: Fri May 06 2011 - 21:09:10 GMT
To: F 10 <lip@lip.net.ua>, openssh-unix-dev@mindrot.org

F 10 wrote:
> Hello,
> today I find in my logs
>
> May 6 01:36:14 xxx sshd[27880]: Address x.x.x.x maps to xxx.com, but this
> does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!
> May 6 01:36:15 xxx sshd[27880]: *Accepted publickey* for root from x.x.x.x
> port 55707 ssh2
> May 6 01:36:15 xxx sshd[27880]: pam_unix(sshd:session): session opened for
> user root by (uid=0)
> May 6 01:36:15 xxx sshd[27880]: subsystem request for sftp
>
> In the sshd_config was always PermitRootLogin no
>
> /root/.ssh always was empty
>
> md5sum /usr/sbin/sshd
> f8c11462e8f2a7bf80e212e06041492b /usr/sbin/sshd
>
> md5sum sshd #binary from .deb
> f8c11462e8f2a7bf80e212e06041492b sshd
>
> OS Debian GNU/Linux 6.0
> SSH-2.0-OpenSSH_5.5p1 Debian-6
>
> How it's possible?
Perhaps 27880 wasn't the normal sshd instance, but run with different
config/a trojaned one?
(that bears the question on how they could launch such hypothetical
'evil sshd' before, though)

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev