FC4 and ssh passphrases not working
Mike McMullen
mlm at loanprocessing.net
Fri Aug 18 19:33:03 UTC 2006
>> >>netstat -pant only shows connections to port 22 from legit places.
>> >Hmmm. How many other admins does this machine have?
>> It's a small shop. Only me.
>
> This really tends toward the "hacked" theory. Either no one is using the
> connection illictly now, or it's hidden by a rootkit.
>
> But let's try to eliminate other possibilities. The "netstat -pant" (as
> root) should show you the process ids of the legit ssh sessions. Then, use
> ps (or look in proc... whatever) and see what process is the parent of that
> one. It should be /usr/bin/sshd.
>
> If it's *not* /usr/bin/sshd, that's peculiar. But if it *is*, and "rpm -V
> openssh-server" claims that the sshd is unmodifed, and yet it still claims
> to be the debian binary, that's even *more* peculiar.
>
It appears to have been a hack. rpm -V openssh-server showed that
sshd has been modified.
I'll be damned if I know how they got in. I drop ssh packets after 3 attempts
in one minute in iptables. I review logs every morning.
I deleted all ssh packages from one of the minor servers and reinstalled them
and everything worked ok ppublickeys etc. I know that's not the solution.
Looks like I have several reinstalls to do. Unless someone has a better idea?
Thanks for everyone's help.
Mike
More information about the fedora-list
mailing list