ssh binary modified
Bill Moran
wmoran at collaborativefusion.com
Sat Nov 27 13:05:46 UTC 2010
On 11/26/10 8:55:58 AM, Nick Knight wrote:
> Hi,
>
> I've just found a problem with ssh on one of my servers, I'm hoping someone
> can give me some insight into what's caused the problem.
>
> When I try to use scp or ftp I get the following error:
> command-line: line 0: Bad configuration option: PermitLocalCommand
> lost connection
>
> I've just noticed my /usr/bin/ssh binary was modified two days ago although
> no updates have been run.
>
> I've noticed a strange new file: /etc/ssh/.sshd_auth
> This has file permission 755 and contained two entries of my plain text
> login:
> myuser:clearpassword
> myuser:clearpassword
>
> FreeBSD hostname 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC
> 2009 root at mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
>
> OpenSSH_5.2p1 FreeBSD-20090522, SSH protocols 1.5/2.0, OpenSSL 0x009080bf
>
> MD5 (/usr/bin/ssh) = 39d889822b743a86ab150e12692c85b7
>
> Has anyone seen the file /etc/ssh/.sshd_auth before?
I don't have that file on any of my servers, and it's not referenced in
any of the documentation.
I would assume that your server has been compromised, along with your
password. I would get that server offline and do either forensics or a
clean rebuild (depending on your situation)
If I were you, I would also assume that any accounts that share that
password are also compromised. Change the password everywhere, and if
you use it for online banking or other financial stuff, notify your bank
and have credit or debit cards reissued.
Good luck,
Bill
More information about the freebsd-security
mailing list