Re: Have I been hacked?
Hello,
The SSH error is usually caused by the SSH server (your machine) being
reformatted, or having SSH uninstalled and reinstalled, or have the
public/private keys regenerated for some reason. have you recently made any
changes to SSH, or reinstalled your system??
It could also happen if he has been making changes to his "~/.ssh/known_hosts" file.
HTH...
Richard.
Quoting Ian Goodall <ijg@iangoodall.co.uk>:
> Thanks for your help Guys.
>
> It now says this:
>
> > wtmp begins Wed May 7 13:21:47 2003
>
> I think that is what had happened. I am new to this and this just looked
> dodgy to me!
>
> A friend also has ssh shell access to the box and got the following error
> message when connecting to the same my box:
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>
> @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
>
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
>
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
>
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
>
> It is also possible that the RSA host key has just been changed.
>
> The fingerprint for the RSA key sent by the remote host is
>
> 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d.
>
> Please contact your system administrator.
>
> I don't get this from any other computers so is this just his computer?
>
> Thanks
>
> ----- Original Message -----
> From: "Eric LeBlanc" <inouk@igt.net>
> To: "Ian Goodall" <ijg@iangoodall.co.uk>
> Cc: <debian-security@lists.debian.org>
> Sent: Wednesday, May 07, 2003 3:23 PM
> Subject: Re: Have I been hacked?
>
>
> >
> > Check if your program have rotated the logs...
> >
> > cd /var/log
> >
> > ls -l wtmp*
> >
> > and, check in /etc/cron* or do a crontab -l (in user root)
> >
> >
> > E.
> > --
> > Eric LeBlanc
> > inouk@igt.net
> > --------------------------------------------------
> > UNIX is user friendly.
> > It's just selective about who its friends are.
> > ==================================================
> >
> > On Wed, 7 May 2003, Ian Goodall wrote:
> >
> > > I am running a debian woody server and when I checked the last users
> > > yesterday I a large number of logins in the list. On running the command
> > > today I get the following:
> > >
> > > dev1:/home/ian# last
> > > ian pts/0 172.16.3.195 Wed May 7 14:49 still logged
> in
> > > team1 pts/0 blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35)
> > >
> > > I have run chkrootkit but nothing was found.
> > >
> > > I have never had this before. Am I being paranoid or is someone trying
> to
> > > cover up their tracks?
> > >
> > > Thanks
> > >
> > > ijg0
> > >
> > >
> > >
> > > --
> > > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> > >
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
--
Richard Hobbs
hobbs@mongeese.co.uk
http://mongeese.co.uk | http://unixforum.co.uk
"There's only one way of life, and that's your own" - The Levellers
_____________________________________________________
Send all your jokes to jokes@fishsponge.co.uk !!
To subscribe, email: jokes-subscribe@fishsponge.co.uk
Reply to: