On Mon, Jun 01, 2009 at 07:23:27AM -0400, Michael Stone wrote:
> Yes, that's a typical location for intruders to drop files. Easiest
> thing to do is reinstall after thinking about how the compromise may
> have occurred. (Did you update regularly, including kernel updates? Did
> all accounts have strong passwords? Do you have web applications not
> managed by the system that weren't being updated? etc.)
We had a serious situation on this computer and several others. Ssh
and sshd were replaced by the cracker's own version and in once case
nearly all the pam-related stuff were replaced also. Through this
customised versions of ssh the cracker harvested every password that
was used during ssh logins and ssh sessions.
We are winning the battle and will in the next few weeks try do the
analysis of what went wrong.
Regards
Johann
--
Johann Spies Telefoon: 021-808 4599
Informasietegnologie, Universiteit van Stellenbosch
"Thou wilt show me the path of life: in thy presence
is fulness of joy; at thy right hand there are
pleasures for evermore." Psalms 16:11
--
To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
