Re: Remotely replaced sshd_config, CentOS 5.3/SSH 4.3p2-36el5_4.2 is the attackers' IP.

Leif Nixon wrote:
Adam Hubscher <offbeatadam@xxxxxxxxx> writes:

These servers run cPanel and have been updated to the following

2.6.18-164.el5PAE #1 SMP Thu Sep 3 04:10:44 EDT 2009 i686 i686 i386

This seems vulnerable to CVE-2009-3547 and CVE-2009-2695. If SELinux is
enabled, you can trivially get root on these machines if you can run
commands as a logged in user.

I would start by looking very hard at all successful ssh logins the
hours before the known intrusion. It is very possible that some of them
are performed using stolen ssh keys.

I have logs from these servers, if you need other information to
possibly help track this down that is possible. I'm having a hard time
finding the vector for this attack though...

If you could share the IP number of the attacking host, that could be
useful. Does /root/.bash_history contain anything interesting? Is there
anything suspicious in /dev/shm? (There won't be, if the machine has
been rebooted after the intrusion.)

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature