Re: Have I been hacked?
The error can also happen if there are a few boxes with ssh that have dynamic
IPs..
On Wednesday 07 May 2003 10:36 am, Hobbs, Richard wrote:
> Hello,
>
> The SSH error is usually caused by the SSH server (your machine) being
> reformatted, or having SSH uninstalled and reinstalled, or have the
> public/private keys regenerated for some reason. have you recently made any
> changes to SSH, or reinstalled your system??
>
> It could also happen if he has been making changes to his
> "~/.ssh/known_hosts" file.
>
> HTH...
>
> Richard.
>
> Quoting Ian Goodall <ijg@iangoodall.co.uk>:
> > Thanks for your help Guys.
> >
> > It now says this:
> > > wtmp begins Wed May 7 13:21:47 2003
> >
> > I think that is what had happened. I am new to this and this just looked
> > dodgy to me!
> >
> > A friend also has ssh shell access to the box and got the following error
> > message when connecting to the same my box:
> >
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> >
> > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
> >
> > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> >
> > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> >
> > Someone could be eavesdropping on you right now (man-in-the-middle
> > attack)!
> >
> > It is also possible that the RSA host key has just been changed.
> >
> > The fingerprint for the RSA key sent by the remote host is
> >
> > 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d.
> >
> > Please contact your system administrator.
> >
> > I don't get this from any other computers so is this just his computer?
> >
> > Thanks
> >
> > ----- Original Message -----
> > From: "Eric LeBlanc" <inouk@igt.net>
> > To: "Ian Goodall" <ijg@iangoodall.co.uk>
> > Cc: <debian-security@lists.debian.org>
> > Sent: Wednesday, May 07, 2003 3:23 PM
> > Subject: Re: Have I been hacked?
> >
> > > Check if your program have rotated the logs...
> > >
> > > cd /var/log
> > >
> > > ls -l wtmp*
> > >
> > > and, check in /etc/cron* or do a crontab -l (in user root)
> > >
> > >
> > > E.
> > > --
> > > Eric LeBlanc
> > > inouk@igt.net
> > > --------------------------------------------------
> > > UNIX is user friendly.
> > > It's just selective about who its friends are.
> > > ==================================================
> > >
> > > On Wed, 7 May 2003, Ian Goodall wrote:
> > > > I am running a debian woody server and when I checked the last users
> > > > yesterday I a large number of logins in the list. On running the
> > > > command today I get the following:
> > > >
> > > > dev1:/home/ian# last
> > > > ian pts/0 172.16.3.195 Wed May 7 14:49 still
> > > > logged
> >
> > in
> >
> > > > team1 pts/0 blue99.ex.ac.uk Wed May 7 13:21 - 13:57
> > > > (00:35)
> > > >
> > > > I have run chkrootkit but nothing was found.
> > > >
> > > > I have never had this before. Am I being paranoid or is someone
> > > > trying
> >
> > to
> >
> > > > cover up their tracks?
> > > >
> > > > Thanks
> > > >
> > > > ijg0
> > > >
> > > >
> > > >
> > > > --
> > > > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > > > with a subject of "unsubscribe". Trouble? Contact
> >
> > listmaster@lists.debian.org
> >
> >
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
Reply to: