#1
  1. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2002
    Posts
    29
    Rep Power
    0

    might i have been invade?


    i admin one server on internet with only openssh,sftp via openssh , oracle 1521, tomcat, apache , the other ports has been closed by iptable,

    however, today i can not connect to this website by sftp,
    the client said, the protocol do not match any more, it is openssh -1.5-2.9v, anyway, it should been openssh-1.99-2.9v, as it has been worked for a long time.

    my questiong is : whether i have been invade? or , why the openssh head could change?

    thanks for your tips;
    fredkerick
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    sorry, to hear that.

    seems like you have been hacked.
    as it has been worked for a long time.
    did you keep your kernel, ssh and apache / tomcat / oracle up-to-date? Did you check if your iptables config works with nmap/another port scanner from a remote host? And which distribution / version do you use?

    i am subscribed to the SuSE security mailing list and on March, 07 they had a warning about openssh <3.1 ........ buffer overflow ...
    Any sysadmin of a system connected to the īnet should read at least one security mailing list! (rh, suse, independent ones like cert / antionline / rootshell ...)

    you should shutdown your server, boot from a cd-rom, backup all data to a second harddrive or tape, re-install from scratch and apply all security updates/patches available before you re-connect to the īnet.
    after this you can analyze the backup data for signs of an intrusion. but todayīs rootkits seldomly leave traces....
  4. #3
  5. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2002
    Posts
    29
    Rep Power
    0
    thanks M.Hirsch,
    my version is redhat 7.2, the openssh is the version coming with it altogether. may i update for the newest version?

    moreover, it really work fine for a long time.

    best regards,
    frederick
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    Oct 2000
    Location
    Back in the real world.
    Posts
    5,966
    Rep Power
    190
    time is the enemy of the security administrator. not hackers.
    if you use "outdated" software, itīs just a matter of time till some automatic script scans your machine and finds the security hole.
    since security holes are published, most programmers could write code to exploit it.

    of course old software does not cease working by itself (besides ms windows and some other crappy programs). somebody had his hands on it...

    and: no, you must not update this system, but format the harddrive and re-install. then update. your system could be completely modified so you donīt get the hackerīs files displayed in "ls -la", no hacker-processes running on "top" or "ps axu", ...
    this all can be done on kernel level so you really have no chance to circumvent it other than reinstalling. he/she replaced your SSH package already (probably with a version that logs passwords, so use new passwords after reinstalling!)

    hope you have backups... if you make them now, chances are good that the hacker fīd something up already...
    Last edited by M.Hirsch; June 7th, 2002 at 03:06 PM.
  8. #5
  9. No Profile Picture
    Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2002
    Posts
    29
    Rep Power
    0
    thanks for your help, i will take this lesson for sucurity.
    i will do all the works follow your words.

    frederick

IMN logo majestic logo threadwatch logo seochat tools logo