Security Basics mailing list archives
Re: possibly compromised redhat 7.2 box
From: James Kelly <jim () essistants com>
Date: Wed, 26 May 2004 23:20:28 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And it could be even simpler than that... verify the obvious first, that sshd is running on the server, the firewall port is open, etc. I have often times made simple mistakes when editing firewall rules that shut down my access to ssh. Sounds dumb but always start simple.... Jim Brecrost Jones wrote: | Also, check which SSH protocols sshd is allowing (probably | /etc/ssh/sshd_config, or thereabouts), and which protocol your SSH | client is using (if PuTTY, look under Connection->SSH). If your sshd or | PuTTY has been upgraded recently, there may be a mismatch. I think the | latest version of PuTTY was changed to default to SSH protocol version | 2, maybe your server is only allowing version 1 (?). Or perhaps sshd | was upgraded, and defaults to version 2, but you PuTTY is set to use | version 1 only. | | Hope that helps. | | | |> -----Original Message----- |> From: Kalpin Erlangga Silaen [mailto:kalpin () solonet co id] Sent: May |> 23, 2004 10:56 PM |> To: Melissa McGillis; Security-Basics |> Subject: Re: possibly compromised redhat 7.2 box |> |> |> Dear Melissa, |> I think this happen because someone (I hope s/he is your Administrator) |> changed/upgraded your sshd. To fix it, try to edit your known_hosts2 at |> ~/.ssh/ |> or just remove ~/.ssh by typing : $rm -rf .ssh. |> If you are using windows then remove putty.rnd (if you are using |> putty) from |> root directory (please read the manual). |> |> |> I hope this will help you |> |> |> Regards, |> |> |> |> Kalpin Erlangga S |> |> ----- Original Message ----- |> From: "Melissa McGillis" <mcgillim () cis uab edu> |> To: "Security-Basics" <security-basics () securityfocus com> |> Sent: Friday, May 21, 2004 2:17 AM |> Subject: possibly compromised redhat 7.2 box |> |> |> > Hello, |> > |> > I have a redhat 7.2 server that stopped accepting my ssh login. I can |> still |> > use my login at the terminal. I also noticed that the host key |> changed. My |> > only guess at this point is that the box was probably compromised. Any |> good |> > software out there to help me figure it out? Any other ideas as to what |> > would cause this? |> > Anything helps, |> > Melissa |> > (THIS IS IN NO WAY AFFILIATED WITH UAB. It's just the address I use for |> > lists.) |> > |> > | | | _________________________________________________________________ | MSN Premium with Virus Guard and Firewall* from McAfee® Security : 2 | months FREE* | http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines | | | |- ---------------------------------------------------------------------------
| Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 | off any course! All of our class sizes are guaranteed to be 10 students | or less to facilitate one-on-one interaction with one of our expert | instructors. Attend a course taught by an expert instructor with years | of in-the-field pen testing experience in our state of the art hacking | lab. Master the skills of an Ethical Hacker to better assess the | security of your organization. Visit us at: | http://www.infosecinstitute.com/courses/ethical_hacking_training.html |- ----------------------------------------------------------------------------
| | | | | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAtSY83IzKSZsd6+oRAgtwAKDuVnjVsD1PR9ERIxNvH5CUafGHBwCZAdVF QORdQ4XzJ5zJd2M/RAu1Rxc= =w40f -----END PGP SIGNATURE----- ---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- possibly compromised redhat 7.2 box Melissa McGillis (May 21)
- Re: possibly compromised redhat 7.2 box Kalpin Erlangga Silaen (May 25)
- <Possible follow-ups>
- Re: possibly compromised redhat 7.2 box Eric Gunnett (May 21)
- Re: possibly compromised redhat 7.2 box James Turnbull (May 25)
- RE: possibly compromised redhat 7.2 box Brecrost Jones (May 26)
- RE: possibly compromised redhat 7.2 box UPDATE Melissa McGillis (May 27)
- Re: possibly compromised redhat 7.2 box UPDATE - harden Alvin Oga (May 27)
- Re: possibly compromised redhat 7.2 box James Kelly (May 27)
- RES: possibly compromised redhat 7.2 box Nelson B. dos Santos Neto (May 27)
- RE: possibly compromised redhat 7.2 box UPDATE Melissa McGillis (May 27)