Re: ssh2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

roland wrote:
On Tue, 16 Sep 2008 22:19:51 +0200, Nifty Fedora Mitch <niftyfedora@xxxxxxxxxxxx> wrote: 


On Tue, Sep 16, 2008 at 11:30:14AM +0200, roland wrote:


I am using a terminalemulator Anita to login to a server, who validates
the ssh connection with 3DES Cipher.

Now this server is hacked, somebody entered with the root user.
Suddenly I have ssh2


So root has been compromized?
How do you know?


I saw the login in /var/log/messages
And suddenly I had a dir ssh2 in /root which is not normal I think. One only get it when generating a rsa or dsa key, isn't it? 


So now I get the following message, when trying to login:
dsa_verify failed for server_host_key
Again: that is because the host key on the server has changed, probably because a new sshd has been installed. The fact that the old keys were not used means either an incompetent hacker or just that you are connected to the wrong machine. It's a warning from your terminal program, so you don't type a password which can be stolen.
I see the directory .ssh2 in the /root directory, but not in any $HOME dir 

How can I stop ssh2 verifying?

Or is there something else I can do?


Was Anita compromised?

No, because I have the same problem here from out of Greece


Was Anita updated?
No, why should I, it always worked, and this version of mine works with all other clients 


Was Anita changed?

No, same answer
I have to say, somerthing akward is going on there, because all workstations failed to connect Anita, except one. 


Was the author of Anita contacted?

No

Anita for windows?

yes

Anita for the web?
Is Anita connecting to sshd on the linux host in the same way that Putty does? 


How can I tell? ssh is not a thing i could say I master.


Can you login and 'su -' to root......

yes
I changed the password and know this guy is trying to login again, but fails. Apperently he was not ready, but maybe changed the key. 

If so you can look at the logs?
Do the logs make sense?

Yes, like I sed above.



dsa_verify failed for server_host_key tells me that a key was changed
not that the host was compromized... If you update the key the
old key needs to be removed....  F
can you tell me what the best way is to generate those keys, because my last experience with this failed. 


Is it possible that the night shift upgraded to ssh2 or added it?

I am the only one.


Is it possible that the night shift added (incorrectly) their own key?
-- php, perl, java, etc...

like above


As others indicated -- IF it has been HACKED
SHUT IT DOWN, pull the plug.  The legal liability
of keeping a hacked system up and running
is large.

As I sed, I will do this when I'm back from holidays.


Are the keys in the .ssh2 dir telling you anything...

??.


If .ssh2 does not contain your keys -- rename/remove it.

Do the keys in the .ssh2 dir belong to anyone... someone you can call.
Sometimes the comments are informative and id a host or person.

It might be that someone knows what was done in your absence.
Who else has pass words or access to the systems?
those who could know about the root password don't know anything about linux or others.
How does ssh checks keys. I am asking this because anita fails before she knows who is login in. So if she takes the login of windows which is mine, she would login or check in $HOME/.ssh. And in $HOME there is no .ssh2, so probably there will be checked in /etc/ssh/ for dsa and rsa keys. So if I remove those keys, would that change it?
I would not expect the .ssh2 directory to be generated on login from outside, although ssh would check for an "authorized keys" file. In checking a number of accounts I know are used but not for outgoing ssh, I find no such directories on any account. Therefore I'm reasonably certain that this was created for an outgoing ssh connection.
The reason you get a host key warning is that the host keys in /etc/ssh have been changed. It might be that you have an unauthorized copy of sshd running which is keylogging every password used to login. This is why people are telling you to shut the machine down, it may well be doing more damage every day.
What are the dates on the files in /etc/ssh*? In the .ssh2 directory? Is your client going to suffer any damages by having all of their data and passwords revealed? 


Thanks again
roland











--
Bill Davidsen <davidsen@xxxxxxx>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux