RE: possibly compromised redhat 7.2 box

• Previous message: Sutton, Nathan: "RE: Detecting Network Sniffers ???"
• Maybe in reply to: Melissa McGillis: "possibly compromised redhat 7.2 box"
• Next in thread: Melissa McGillis: "RE: possibly compromised redhat 7.2 box UPDATE"
• Reply: Melissa McGillis: "RE: possibly compromised redhat 7.2 box UPDATE"
• Reply: James Kelly: "Re: possibly compromised redhat 7.2 box"
• Reply: Nelson B. dos Santos Neto: "RES: possibly compromised redhat 7.2 box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: mcgillim@cis.uab.edu
Date: Tue, 25 May 2004 14:24:53 -0600

Also, check which SSH protocols sshd is allowing (probably
/etc/ssh/sshd_config, or thereabouts), and which protocol your SSH client is
using (if PuTTY, look under Connection->SSH). If your sshd or PuTTY has
been upgraded recently, there may be a mismatch. I think the latest version
of PuTTY was changed to default to SSH protocol version 2, maybe your server
is only allowing version 1 (?). Or perhaps sshd was upgraded, and defaults
to version 2, but you PuTTY is set to use version 1 only.

Hope that helps.

>-----Original Message-----
>From: Kalpin Erlangga Silaen [mailto:kalpin@solonet.co.id] Sent: May 23,
>2004 10:56 PM
>To: Melissa McGillis; Security-Basics
>Subject: Re: possibly compromised redhat 7.2 box
>
>
>Dear Melissa,
>I think this happen because someone (I hope s/he is your Administrator)
>changed/upgraded your sshd. To fix it, try to edit your known_hosts2 at
>~/.ssh/
>or just remove ~/.ssh by typing : $rm -rf .ssh.
>If you are using windows then remove putty.rnd (if you are using putty)
>from
>root directory (please read the manual).
>
>
>I hope this will help you
>
>
>Regards,
>
>
>
>Kalpin Erlangga S
>
>----- Original Message -----
>From: "Melissa McGillis" <mcgillim@cis.uab.edu>
>To: "Security-Basics" <security-basics@securityfocus.com>
>Sent: Friday, May 21, 2004 2:17 AM
>Subject: possibly compromised redhat 7.2 box
>
>
> > Hello,
> >
> > I have a redhat 7.2 server that stopped accepting my ssh login. I can
>still
> > use my login at the terminal. I also noticed that the host key changed.
>My
> > only guess at this point is that the box was probably compromised. Any
>good
> > software out there to help me figure it out? Any other ideas as to what
> > would cause this?
> > Anything helps,
> > Melissa
> > (THIS IS IN NO WAY AFFILIATED WITH UAB. It's just the address I use for
> > lists.)
> >
> >

_________________________________________________________________
MSN Premium with Virus Guard and Firewall* from McAfeeŽ Security : 2 months
FREE*
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Sutton, Nathan: "RE: Detecting Network Sniffers ???"
• Maybe in reply to: Melissa McGillis: "possibly compromised redhat 7.2 box"
• Next in thread: Melissa McGillis: "RE: possibly compromised redhat 7.2 box UPDATE"
• Reply: Melissa McGillis: "RE: possibly compromised redhat 7.2 box UPDATE"
• Reply: James Kelly: "Re: possibly compromised redhat 7.2 box"
• Reply: Nelson B. dos Santos Neto: "RES: possibly compromised redhat 7.2 box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]