RES: possibly compromised redhat 7.2 box

From: Nelson B. dos Santos Neto (nelson_at_engesis.com)
Date: 05/27/04

  • Next message: John McCracken: "RE: Computer Forensics Consulting" 
    To: <security-basics@securityfocus.com>
Date: Wed, 26 May 2004 23:07:53 -0300

            You should try Tripwire (www.tripwire.org). It won't help you
    now but it will prevent from happening again.

    Nelson

    -----Mensagem original-----
    De: Brecrost Jones [mailto:brecrost@hotmail.com]
    Enviada em: terça-feira, 25 de maio de 2004 17:25
    Para: mcgillim@cis.uab.edu
    Cc: security-basics@securityfocus.com
    Assunto: RE: possibly compromised redhat 7.2 box

    Also, check which SSH protocols sshd is allowing (probably
    /etc/ssh/sshd_config, or thereabouts), and which protocol your SSH
    client is
    using (if PuTTY, look under Connection->SSH). If your sshd or PuTTY has

    been upgraded recently, there may be a mismatch. I think the latest
    version
    of PuTTY was changed to default to SSH protocol version 2, maybe your
    server
    is only allowing version 1 (?). Or perhaps sshd was upgraded, and
    defaults
    to version 2, but you PuTTY is set to use version 1 only.

    Hope that helps.

    >-----Original Message-----
    >From: Kalpin Erlangga Silaen [mailto:kalpin@solonet.co.id] Sent: May
    23,
    >2004 10:56 PM
    >To: Melissa McGillis; Security-Basics
    >Subject: Re: possibly compromised redhat 7.2 box
    >
    >
    >Dear Melissa,
    >I think this happen because someone (I hope s/he is your Administrator)
    >changed/upgraded your sshd. To fix it, try to edit your known_hosts2 at
    >~/.ssh/
    >or just remove ~/.ssh by typing : $rm -rf .ssh.
    >If you are using windows then remove putty.rnd (if you are using putty)

    >from
    >root directory (please read the manual).
    >
    >
    >I hope this will help you
    >
    >
    >Regards,
    >
    >
    >
    >Kalpin Erlangga S
    >
    >----- Original Message -----
    >From: "Melissa McGillis" <mcgillim@cis.uab.edu>
    >To: "Security-Basics" <security-basics@securityfocus.com>
    >Sent: Friday, May 21, 2004 2:17 AM
    >Subject: possibly compromised redhat 7.2 box
    >
    >
    > > Hello,
    > >
    > > I have a redhat 7.2 server that stopped accepting my ssh login. I
    can
    >still
    > > use my login at the terminal. I also noticed that the host key
    changed.
    >My
    > > only guess at this point is that the box was probably compromised.
    Any
    >good
    > > software out there to help me figure it out? Any other ideas as to
    what
    > > would cause this?
    > > Anything helps,
    > > Melissa
    > > (THIS IS IN NO WAY AFFILIATED WITH UAB. It's just the address I use
    for
    > > lists.)
    > >
    > >

    _________________________________________________________________
    MSN Premium with Virus Guard and Firewall* from McAfee® Security : 2
    months
    FREE*
    http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU
    =http://hotmail.com/enca&HL=Market_MSNIS_Taglines

    ------------------------------------------------------------------------ 

    ---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
  • Next message: John McCracken: "RE: Computer Forensics Consulting"