ssh compromised

mintojoseph · 01-15-2007, 11:20 PM

Hi all,

This is my first post.

I couldn't access my server today morning via ssh and I had to restart it.

I saw following entries in /var/log/secure.

Jan 16 04:13:25 xxxxx sshd[31964]: refused connect from ::ffff:85.18.94.112 (::ffff:85.18.94.112)
Jan 16 04:26:15 xxxxx sshd[32520]: refused connect from ::ffff:81.209.167.239 (::ffff:81.209.167.239)
Jan 16 04:47:04 xxxxx sshd[3621]: Received signal 15; terminating.
Jan 16 05:20:41 xxxxx sshd[3615]: Server listening on :: port 22.

Somebody send a SIGTERM signal to sshd? How could somebody do that?

My current version of ssh is OpenSSH_3.6.1p2, SSH protocols 1.5/2.0..
Will upgrading the ssh will stop the issue from repeating?

zhangmaike · 01-16-2007, 12:27 AM

Is it possible that it was the script which restarts sshd that sent the SIGTERM?

mintojoseph · 01-17-2007, 09:04 PM

But no valid user was logged in that time..

Quote:

Originally Posted by zhangmaike

Is it possible that it was the script which restarts sshd that sent the SIGTERM?

anomie · 01-17-2007, 09:42 PM

The log shows a couple users being blocked by (what appears to be) tcp_wrappers.

sshd received its kill instructions, and then it's listening on port 22 awhile later. I'm presuming the kill was not from you rebooting the box...

Upgrade to the latest OpenSSH version, sure, but more importantly: turn off SSH protocol 1.

Matir · 01-17-2007, 11:09 PM

When you rebooted, was it a "hard" reboot, or could ACPI have initiated a proper shutdown? (i.e., were the shutdown scripts run?)

mintojoseph · 01-18-2007, 09:07 PM

Thank you for the clarification guys...