PHWinfo - Afficher un message

23/10/2006, 17h41

sdonnet@ddo-org.com writes:

>Hi,

>Since this week-end, I have big problems on my RHEL3 server, with sshd
>:
>- I can no more connect from clients whith ssh. I was able to connect
>from 2 years,
>- I have 2 new lines in my sshd_config : "DString sweetgeorgiana" and
>"DVersion openssh-.3.6p2...",
>- I deleted these 2 lines last Saturday evening, and they came back on
>Sunday,
>- between Saturday and Sunday, I restarted my sshd, and was able to
>connect,
>- I have a process which abnormally opens the port 417 : this process
>is called "ssh/bin/initsshd -p 417", directly connected to "init". The
>command line of this process does not begin by "/". I performed a find
>/ -name initsshd without finding it,
>- I also killed this process on Sunday morning, and is now back on
>Monday morning,
>- I have reboot on Sunday, after examination of /etc/init.d, but I saw
>nothing special.

>Does somebody knows what happens to me ? And could I reprotect my
>server, if I am really hacked ?

Sounds to me like you have been cracked.

backup your crucial stuff.
Wipe the disk
reinstall the operating system
Change ALL passwords
use find to scan the reinstalled backup for suid root programs.

23/10/2006, 17h41	#2
Unruh Messages: n/a Hébergeur:	Re: Hacker on my system ? sdonnet@ddo-org.com writes: >Hi, >Since this week-end, I have big problems on my RHEL3 server, with sshd >: >- I can no more connect from clients whith ssh. I was able to connect >from 2 years, >- I have 2 new lines in my sshd_config : "DString sweetgeorgiana" and >"DVersion openssh-.3.6p2...", >- I deleted these 2 lines last Saturday evening, and they came back on >Sunday, >- between Saturday and Sunday, I restarted my sshd, and was able to >connect, >- I have a process which abnormally opens the port 417 : this process >is called "ssh/bin/initsshd -p 417", directly connected to "init". The >command line of this process does not begin by "/". I performed a find >/ -name initsshd without finding it, >- I also killed this process on Sunday morning, and is now back on >Monday morning, >- I have reboot on Sunday, after examination of /etc/init.d, but I saw >nothing special. >Does somebody knows what happens to me ? And could I reprotect my >server, if I am really hacked ? Sounds to me like you have been cracked. backup your crucial stuff. Wipe the disk reinstall the operating system Change ALL passwords use find to scan the reinstalled backup for suid root programs.