On 11/26/10 8:55:58 AM, Nick Knight wrote: > Hi, > > I've just found a problem with ssh on one of my servers, I'm hoping someone > can give me some insight into what's caused the problem. > > When I try to use scp or ftp I get the following error: > command-line: line 0: Bad configuration option: PermitLocalCommand > lost connection > > I've just noticed my /usr/bin/ssh binary was modified two days ago although > no updates have been run. > > I've noticed a strange new file: /etc/ssh/.sshd_auth > This has file permission 755 and contained two entries of my plain text > login: > myuser:clearpassword > myuser:clearpassword > > FreeBSD hostname 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC > 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > > OpenSSH_5.2p1 FreeBSD-20090522, SSH protocols 1.5/2.0, OpenSSL 0x009080bf > > MD5 (/usr/bin/ssh) = 39d889822b743a86ab150e12692c85b7 > > Has anyone seen the file /etc/ssh/.sshd_auth before?
I don't have that file on any of my servers, and it's not referenced in any of the documentation. I would assume that your server has been compromised, along with your password. I would get that server offline and do either forensics or a clean rebuild (depending on your situation) If I were you, I would also assume that any accounts that share that password are also compromised. Change the password everywhere, and if you use it for online banking or other financial stuff, notify your bank and have credit or debit cards reissued. Good luck, Bill _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
