Re: need help with openssh attack

To: Kees de Jong <keesdejong@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: need help with openssh attack
From: Taz <taz.inside@gmail.com>
Date: Thu, 29 Dec 2011 19:47:16 +0400
Message-id: <[🔎] CA+0W4NnjvU54+zFj-1hH2jyRcMRwLG1jFYmon_Ji4X5PgH7VDA@mail.gmail.com>
In-reply-to: <[🔎] CA+0W4NkGtAZxBD4=5yOp-3funTB7bFNwyxxSVTgb8cYbbwWm3g@mail.gmail.com>
References: <[🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com> <[🔎] CAAH150am+EpJ2B2LQndxjSbkbzDr1deiO3=S9y7o83XNdQ2_2Q@mail.gmail.com> <[🔎] CA+0W4NkGtAZxBD4=5yOp-3funTB7bFNwyxxSVTgb8cYbbwWm3g@mail.gmail.com>

of course, i've double changed all password and regenerated ssh keys.

On Thu, Dec 29, 2011 at 7:44 PM, Taz <taz.inside@gmail.com> wrote:
> http://security.stackexchange.com/questions/10202/perl-script-rootkit
>
> here it is, all the details. please check out
>
> On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong <keesdejong@gmail.com> wrote:
>> If you are absolutely sure that they gained root access then there is no
>> other alternative then to kill the internet on those machines.
>> And then you should back up all the data you want to preserve so that you
>> can reinstall those machines safely. There is no telling if they installed
>> another SSH server or other nasty things like rootkits.
>> Most attackers install their own SSH server so that any changes your make to
>> patch your security holes aren't putting them out of business.
>> Unless you have aide installed and made regular checksums of all the files
>> and configs then you have no idea if anything is changed since the attack.
>> You can also try rkhunter and chkrootkit to find any rootkits on your
>> system, but they aren't conclusive.
>>
>> The only way to be sure that you are in the clear is a total new start on
>> all the affected machines.
>>
>>
>> PS: We all got it now, fail2ban is a great tool ;-)
>>
>>
>>
>>
>> On Thu, Dec 29, 2011 at 15:04, Taz <taz.inside@gmail.com> wrote:
>>>
>>> Hello, we've got various debian servers, about 15, with different
>>> versions. All of them have been attacked today and granted root
>>> access.
>>> Can anybody help? We can give ssh access to attacked machine, it seems
>>> to be serious ssh vulnerability.
>>>
>>> How can i contact openssh mnt?
>>>
>>> Thank you.
>>>
>>>
>>> --
>>> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>>> with a subject of "unsubscribe". Trouble? Contact
>>> listmaster@lists.debian.org
>>> Archive:
>>> [🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com">http://lists.debian.org/[🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com
>>>
>>
>>
>>
>> --
>> Met vriendelijke groet,
>> Kees de Jong
>>
>>
>> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
>> uitsluitend bestemd voor de geadresseerde(n).
>> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
>> gebruiken en de afzender direct te informeren door het bericht te
>> retourneren.
>> --
>> The information contained in this message may be confidential and is
>> intended to be exclusively for the addressee(s).
>> Should you receive this message unintentionally, please do not use the
>> contents herein and notify the sender immediately by return e-mail.
>>

Reply to:

Follow-Ups:
- Re: need help with openssh attack
  - From: Taz <taz.inside@gmail.com>
- Re: need help with openssh attack
  - From: Russell Coker <russell@coker.com.au>

References:
- need help with openssh attack
  - From: Taz <taz.inside@gmail.com>
- Re: need help with openssh attack
  - From: Kees de Jong <keesdejong@gmail.com>
- Re: need help with openssh attack
  - From: Taz <taz.inside@gmail.com>

Prev by Date: RE: need help with openssh attack
Next by Date: Re: need help with openssh attack
Previous by thread: Re: need help with openssh attack
Next by thread: Re: need help with openssh attack
Index(es):
- Date
- Thread