Re: need help with openssh attack

To: Kees de Jong <keesdejong@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: need help with openssh attack
From: Taz <taz.inside@gmail.com>
Date: Thu, 29 Dec 2011 19:44:24 +0400
Message-id: <[🔎] CA+0W4NkGtAZxBD4=5yOp-3funTB7bFNwyxxSVTgb8cYbbwWm3g@mail.gmail.com>
In-reply-to: <[🔎] CAAH150am+EpJ2B2LQndxjSbkbzDr1deiO3=S9y7o83XNdQ2_2Q@mail.gmail.com>
References: <[🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com> <[🔎] CAAH150am+EpJ2B2LQndxjSbkbzDr1deiO3=S9y7o83XNdQ2_2Q@mail.gmail.com>

http://security.stackexchange.com/questions/10202/perl-script-rootkit

here it is, all the details. please check out

On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong <keesdejong@gmail.com> wrote:
> If you are absolutely sure that they gained root access then there is no
> other alternative then to kill the internet on those machines.
> And then you should back up all the data you want to preserve so that you
> can reinstall those machines safely. There is no telling if they installed
> another SSH server or other nasty things like rootkits.
> Most attackers install their own SSH server so that any changes your make to
> patch your security holes aren't putting them out of business.
> Unless you have aide installed and made regular checksums of all the files
> and configs then you have no idea if anything is changed since the attack.
> You can also try rkhunter and chkrootkit to find any rootkits on your
> system, but they aren't conclusive.
>
> The only way to be sure that you are in the clear is a total new start on
> all the affected machines.
>
>
> PS: We all got it now, fail2ban is a great tool ;-)
>
>
>
>
> On Thu, Dec 29, 2011 at 15:04, Taz <taz.inside@gmail.com> wrote:
>>
>> Hello, we've got various debian servers, about 15, with different
>> versions. All of them have been attacked today and granted root
>> access.
>> Can anybody help? We can give ssh access to attacked machine, it seems
>> to be serious ssh vulnerability.
>>
>> How can i contact openssh mnt?
>>
>> Thank you.
>>
>>
>> --
>> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
>> with a subject of "unsubscribe". Trouble? Contact
>> listmaster@lists.debian.org
>> Archive:
>> [🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com">http://lists.debian.org/[🔎] CA+0W4N=At0EsJ+Y3d8DRZW8u+S6Tcr6BCUha+W+U5rL-80v8QA@mail.gmail.com
>>
>
>
>
> --
> Met vriendelijke groet,
> Kees de Jong
>
>
> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
> uitsluitend bestemd voor de geadresseerde(n).
> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te
> gebruiken en de afzender direct te informeren door het bericht te
> retourneren.
> --
> The information contained in this message may be confidential and is
> intended to be exclusively for the addressee(s).
> Should you receive this message unintentionally, please do not use the
> contents herein and notify the sender immediately by return e-mail.
>

Reply to:

Follow-Ups:
- Re: need help with openssh attack
  - From: Taz <taz.inside@gmail.com>

References:
- need help with openssh attack
  - From: Taz <taz.inside@gmail.com>
- Re: need help with openssh attack
  - From: Kees de Jong <keesdejong@gmail.com>

Prev by Date: RE: need help with openssh attack
Next by Date: RE: need help with openssh attack
Previous by thread: Re: need help with openssh attack
Next by thread: Re: need help with openssh attack
Index(es):
- Date
- Thread