Re: Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2
- From: Adam Hubscher <offbeatadam@xxxxxxxxx>
- Date: Fri, 13 Nov 2009 11:08:50 -0600
68.50.70.187 is the attackers' IP.
Leif Nixon wrote:
Adam Hubscher <offbeatadam@xxxxxxxxx> writes:
These servers run cPanel and have been updated to the following
specs:
2.6.18-164.el5PAE #1 SMP Thu Sep 3 04:10:44 EDT 2009 i686 i686 i386
GNU/Linux
This seems vulnerable to CVE-2009-3547 and CVE-2009-2695. If SELinux is
enabled, you can trivially get root on these machines if you can run
commands as a logged in user.
I would start by looking very hard at all successful ssh logins the
hours before the known intrusion. It is very possible that some of them
are performed using stolen ssh keys.
I have logs from these servers, if you need other information to
possibly help track this down that is possible. I'm having a hard time
finding the vector for this attack though...
If you could share the IP number of the attacking host, that could be
useful. Does /root/.bash_history contain anything interesting? Is there
anything suspicious in /dev/shm? (There won't be, if the machine has
been rebooted after the intrusion.)
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- References:
- Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2
- From: Adam Hubscher
- Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2
- Prev by Date: Re: Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2
- Next by Date: Re: remote port forwarding unstable
- Previous by thread: Re: Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2
- Next by thread: Re: remote port forwarding unstable
- Index(es):
Relevant Pages
|
