ssh binary modified


I've just found a problem with ssh on one of my servers, I'm hoping someone
can give me some insight into what's caused the problem.

When I try to use scp or ftp I get the following error:
command-line: line 0: Bad configuration option: PermitLocalCommand
lost connection

I've just noticed my /usr/bin/ssh binary was modified two days ago although
no updates have been run.

I've noticed a strange new file: /etc/ssh/.sshd_auth
This has file permission 755 and contained two entries of my plain text

FreeBSD hostname 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC
2009 root@xxxxxxxxxxxxxxxxxxxxx:/usr/obj/usr/src/sys/GENERIC amd64

OpenSSH_5.2p1 FreeBSD-20090522, SSH protocols 1.5/2.0, OpenSSL 0x009080bf

MD5 (/usr/bin/ssh) = 39d889822b743a86ab150e12692c85b7

Has anyone seen the file /etc/ssh/.sshd_auth before?


Nick Knight
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"