ssh binary modified

Nick Knight nick at
Fri Nov 26 14:24:13 UTC 2010


I've just found a problem with ssh on one of my servers, I'm hoping someone
can give me some insight into what's caused the problem.

When I try to use scp or ftp I get the following error:
command-line: line 0: Bad configuration option: PermitLocalCommand
lost connection

I've just noticed my /usr/bin/ssh binary was modified two days ago although
no updates have been run.

I've noticed a strange new file: /etc/ssh/.sshd_auth
This has file permission 755 and contained two entries of my plain text

FreeBSD hostname 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC
2009     root at  amd64

OpenSSH_5.2p1 FreeBSD-20090522, SSH protocols 1.5/2.0, OpenSSL 0x009080bf

MD5 (/usr/bin/ssh) = 39d889822b743a86ab150e12692c85b7

Has anyone seen the file /etc/ssh/.sshd_auth before?


Nick Knight

More information about the freebsd-security mailing list