LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-28-2002, 03:18 PM   #1
Savedadogs
Member
 
Registered: Mar 2002
Posts: 41

Rep: Reputation: 15
Exclamation Ssh Compromised!!???help!!!


Please someone help me I am a newbie. I had setup the ssh daemon on my RedHat Linux 7.2 server last week. I used openssh. I created the keys and was able to login to my server through my lan:

ssh 192.168.1.05.

Here is what happens now when I try to ssh:

[root@localhost root]# ssh 192.168.1.105
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
RSA host key for 192.168.1.105 has changed and you have requested strict checking.
Host key verification failed.


WHAT IS GOING ON??? Has someone compromised my machine. I was also able to ssh from the outside world to my machine last week. I have a dynamic IP. All incoming ssh conenctions (port 22) are forwarded to 192.168.1.105, my linux server. Please HELP!
 
Old 04-28-2002, 04:37 PM   #2
Savedadogs
Member
 
Registered: Mar 2002
Posts: 41

Original Poster
Rep: Reputation: 15
Can anyone help???
 
Old 04-28-2002, 07:00 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,120
Blog Entries: 54

Rep: Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788Reputation: 2788
This happens sometimes when the host key changed, if so, and you can verify the host *is* the host you're connecting to, open you ~/.ssh/known_hosts and delete the key.

OTOH, from what I've seen (you using RSA instead of DSA) *if* you're using SSH1 with Protocol 1, please verify your installed package and then upgrade to OpenSSH-2 Protocol 2, (don't specify "Protocol 2,1" in sshd_config). SSH1 *is definately* way too old. If you're using OpenSSH2 with Protocol 1, change it to Protocol 2.

Verifying your package is best done tru Aide or Tripwire (if you installed it) can somewhat be done tru rpm, but can be tampered with or corrupted or show false positives ("rpm --verify <installedpackagename>"). As an extra check you can try chkrootkit(.org) which is able to scan binaries for some wellknown rootkit signs. And look tru your sshd's logfiles for weird logins as well, if any.
 
Old 01-23-2004, 02:32 PM   #4
dovkruger
LQ Newbie
 
Registered: Nov 2003
Location: NY area
Distribution: redhat EE3, Fedore Core 4
Posts: 23

Rep: Reputation: 15
Server address is changing

You said it yourself. You have dynamic IP addressing.
That means from the outside world, your machine looks like it is changing IP addresses.
So each time you reach a different one, your ssh client is warning you that the underlying address is changing.
 
Old 02-03-2004, 08:47 AM   #5
katmai90210
Member
 
Registered: Nov 2003
Location: Romania
Distribution: Redhat Linux , Fedora & SuSe
Posts: 46

Rep: Reputation: 15
rm -rf /etc/.ssh
then log in and all will work just fine
 
Old 02-03-2004, 12:55 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
Originally posted by katmai90210
rm -rf /etc/.ssh
then log in and all will work just fine
You must be joking. Do NOT do this. If you're positive that your connection is not being hijacked, you should edit ~/.ssh/known_hosts like unSpawn said.

By the way, Savedadogs why are you ssh'ing as root? It's really not recommended to perform such tasks as root, since logging into a remote host does not require you to be root locally.

To dovkruger, the outside IP being dynamic has nothing to do with it. He's logging in from the LAN to the internal IP, which hasn't changed.

IIRC, when a host is rebooted it's key may be regenerated (I can't remember for sure), so it's possible that it was changed.
 
Old 02-03-2004, 04:54 PM   #7
katmai90210
Member
 
Registered: Nov 2003
Location: Romania
Distribution: Redhat Linux , Fedora & SuSe
Posts: 46

Rep: Reputation: 15
lol as i said being too paranoid is waste of time sometimes ... yo speak like we're being in a war in here ... and what should he do ? edit the /etc/.ssh file each time ? c'mon get serious ... i am taking security in serious but .. we got to be realistic sometimes .. doh !
 
Old 02-03-2004, 05:07 PM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well what good is security if you just ignore all warnings? You might as well use telnet... The warnings are there for good reason.
 
Old 02-04-2004, 07:26 AM   #9
katmai90210
Member
 
Registered: Nov 2003
Location: Romania
Distribution: Redhat Linux , Fedora & SuSe
Posts: 46

Rep: Reputation: 15
i don't ignore warnings but i am realistic ... no hacker would show interest for data transmitted on a small network ... or very unknown server ... you got to take into consideration all facts ... upgrade the ssh daemon ... see if you still get that warning ... be realistic not paranoid ...
 
Old 02-04-2004, 08:15 AM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
That's really naive to think that just because you're on a small network that a cracker wouldn't show interest because you're a "small-fish". The majority of times it's a target of opportunity that attracts a cracker, that's why you see so many automated scans and rooters. Using telnet is a really big mistake especially if you're ever logging in remotely as root. With the prevalence of sniffers today (esp. as part of rootkits) you should avoid protocols that transmit plain-text logins when you have a choice of using an encypted protocol instead. In most cases, that's usually an option.
 
Old 02-04-2004, 09:25 AM   #11
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,088

Rep: Reputation: 368Reputation: 368Reputation: 368Reputation: 368
capt_caveman is right, i've seen a good example of that.... while i was taking an introductory unix class at the local community college, someone rooted the Linux box we used to do all our assignments.... that one was a pain we were all locked out of our accounts by the cracker

Last edited by frieza; 02-04-2004 at 09:26 AM.
 
Old 02-04-2004, 09:28 AM   #12
katmai90210
Member
 
Registered: Nov 2003
Location: Romania
Distribution: Redhat Linux , Fedora & SuSe
Posts: 46

Rep: Reputation: 15
as i said i don't say to ignore all warnings and stuff .. but each time to hook up on the same problem ... that's paranoidism ... don't use telnet lol that 's antique ... but if you checked and double checked the server and there is nothing wrong then u won't do it forever .. hook up only on that ssh key stuff ...
 
Old 02-10-2004, 12:48 AM   #13
nidputerguy
Member
 
Registered: Oct 2003
Posts: 47

Rep: Reputation: 15
If your network is up 24-7 you need to pay attention. The first thing a real hacker does is find a network like yours that he can use to attack other networks. He covers his tracks on your box. When the FBI comes looking all they find is you. His tracks are erased. Yeh you might want to pay attention to security.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Compromised by SSH bruteforce MBH Linux - Security 3 09-16-2005 10:10 PM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 07:33 AM
SSH brute force.... compromised? heri0n Linux - Security 15 11-21-2004 05:51 PM
compromised by SSH login phennon Linux - Security 2 09-19-2004 08:03 PM
Ssh Compromised! Savedadogs Linux - General 1 04-28-2002 03:29 PM


All times are GMT -5. The time now is 10:57 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration