Full Disclosure mailing list archives

Re: sshd logins without a source

From: Nikolaos Mitsis <drynhwyl () gmail com>
Date: Sat, 24 Sep 2011 23:24:25 +0300

At the time of the compromise I can see in each
servers sshd logs an entry like the following:

Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session
opened for user root by (uid=0)
Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session
closed for user root


Have you checked the integrity of sshd binary? It could be replaced with a
copy that "forgets" to log so you don't get the sshd logs (possibly after
receiving a specified password).
However the above logs are from pam (pam_unix does the logging on behalf of
sshd) so it's not possible to disable this in the sshd binary itself.

cheers,
ν.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: sshd logins without a source, (continued)
- - Re: sshd logins without a source Laurelai (Sep 23)
    - Re: sshd logins without a source paul . szabo (Sep 23)
    - Re: sshd logins without a source BH (Sep 23)
    - Re: sshd logins without a source Laurelai (Sep 23)
    - Re: sshd logins without a source paul . szabo (Sep 23)
    - Re: sshd logins without a source Jason A. Donenfeld (Sep 26)
- Re: sshd logins without a source Bacanu Adrian-Daniel (Sep 23)
  - Re: sshd logins without a source james (Sep 23)
- Re: sshd logins without a source Valdis . Kletnieks (Sep 23)
- Re: sshd logins without a source GloW - XD (Sep 23)
- Re: sshd logins without a source Nikolaos Mitsis (Sep 26)