On 9 Dec 2001, Armando B. Ortiz wrote: > The attacks apparently took down two of our servers in a 4-server > webfarm. They apparently leave the typical root kits and > compromised/trojaned binaries. > > Unfortunately, I can't recover the other boxes and have to rebuild > them. The intruder left compromised files relating to the operation of > SSH as well as a trojaned SSH daemon. > > =:( Do you know what kind of trojaned sshd it was and any of its features? Was it by any chance "Root Kit SSH 6.0 by timecop"? (http://openbsd.org.br/ouah/progs/rkssh6.tar.gz) I've seen this kit being installed after other intrusions via the CRC-32 compensation attack detector vulnerability. /Andreas ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 12:46:32 PST