Full Disclosure mailing list archives
Re: sshd logins without a source
From: Nikolaos Mitsis <drynhwyl () gmail com>
Date: Sat, 24 Sep 2011 23:24:25 +0300
At the time of the compromise I can see in each servers sshd logs an entry like the following: Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session opened for user root by (uid=0) Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session closed for user root
Have you checked the integrity of sshd binary? It could be replaced with a copy that "forgets" to log so you don't get the sshd logs (possibly after receiving a specified password). However the above logs are from pam (pam_unix does the logging on behalf of sshd) so it's not possible to disable this in the sshd binary itself. cheers, ν.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: sshd logins without a source, (continued)
- Re: sshd logins without a source Laurelai (Sep 23)
- Re: sshd logins without a source paul . szabo (Sep 23)
- Re: sshd logins without a source BH (Sep 23)
- Re: sshd logins without a source Laurelai (Sep 23)
- Re: sshd logins without a source paul . szabo (Sep 23)
- Re: sshd logins without a source Jason A. Donenfeld (Sep 26)
- Re: sshd logins without a source Laurelai (Sep 23)
- Re: sshd logins without a source james (Sep 23)