On Fri, 2 Mar 2012, Jordon Bedwell <envyge...@gmail.com> wrote: > > Run the command below. > > > > grep "ssh:1.%.30s@%.128s.s password:" /usr/sbin/sshd; echo $? > > > > If you don't get 1 as output, your sshd is compromised. > > It returned 1, this happens on freshly installed Debian and Ubuntu too > though, tested it on Ubuntu too.
http://etbe.coker.com.au/2011/12/31/server-cracked/ If you havd a sshd that is compromised in the same way as one was on one of my servers then Anibal's command will give an output of 0. I don't know what relevance this has to a discussion of OpenSSH logging though. I'd like to have OpenSSH log the email address field from a key that was used for login so I could see something like "ssh key russ...@coker.com.au was used to login to account rjc" in my logs. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201203021157.47219.russ...@coker.com.au
