of course, i've double changed all password and regenerated ssh keys. On Thu, Dec 29, 2011 at 7:44 PM, Taz <taz.ins...@gmail.com> wrote: > http://security.stackexchange.com/questions/10202/perl-script-rootkit > > here it is, all the details. please check out > > On Thu, Dec 29, 2011 at 7:31 PM, Kees de Jong <keesdej...@gmail.com> wrote: >> If you are absolutely sure that they gained root access then there is no >> other alternative then to kill the internet on those machines. >> And then you should back up all the data you want to preserve so that you >> can reinstall those machines safely. There is no telling if they installed >> another SSH server or other nasty things like rootkits. >> Most attackers install their own SSH server so that any changes your make to >> patch your security holes aren't putting them out of business. >> Unless you have aide installed and made regular checksums of all the files >> and configs then you have no idea if anything is changed since the attack. >> You can also try rkhunter and chkrootkit to find any rootkits on your >> system, but they aren't conclusive. >> >> The only way to be sure that you are in the clear is a total new start on >> all the affected machines. >> >> >> PS: We all got it now, fail2ban is a great tool ;-) >> >> >> >> >> On Thu, Dec 29, 2011 at 15:04, Taz <taz.ins...@gmail.com> wrote: >>> >>> Hello, we've got various debian servers, about 15, with different >>> versions. All of them have been attacked today and granted root >>> access. >>> Can anybody help? We can give ssh access to attacked machine, it seems >>> to be serious ssh vulnerability. >>> >>> How can i contact openssh mnt? >>> >>> Thank you. >>> >>> >>> -- >>> To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org >>> with a subject of "unsubscribe". Trouble? Contact >>> listmas...@lists.debian.org >>> Archive: >>> http://lists.debian.org/CA+0W4N=at0esj+y3d8drzw8u+s6tcr6bcuha+w+u5rl-80v...@mail.gmail.com >>> >> >> >> >> -- >> Met vriendelijke groet, >> Kees de Jong >> >> >> De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is >> uitsluitend bestemd voor de geadresseerde(n). >> Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te >> gebruiken en de afzender direct te informeren door het bericht te >> retourneren. >> -- >> The information contained in this message may be confidential and is >> intended to be exclusively for the addressee(s). >> Should you receive this message unintentionally, please do not use the >> contents herein and notify the sender immediately by return e-mail. >>
-- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ca+0w4nnjvu54+zfj-1hh2jyrcmrwlg1jfymon_ji4x5pgh7...@mail.gmail.com
