The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]

FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Previous Message  |  Next Message 
 sshd hacked?
Author: fischb22 
Date:   21-09-08 05:08

recently i got a call from the datacenter where my server is located

aparently i am spamming the hell out of everyone, i've since then closed the box down via firewall rules, for investigation

i have found that whenever i log in via SSH an email is created with the username and password of what i logged in with.

i think i have found some discrepancies with sshd

-rwxr-xr-x 1 root wheel 679755 Jan 9 2008 sshd
-r-xr-xr-x 1 root wheel 168488 Jan 9 2008 sshd0


this seems odd to me, all the other files in this directory are dated may 2006

i deleted the source tree, and am doing a csvup right now, going to reinstall sshd when that is done.

was not sure if anyone else found this, or has come accross it.


excpert from /var/log/maillog:

Sep 21 00:43:19 wacko sendmail[6831]: m8L4hIsj006831: to=mosul.cracila@gmail.com, ctladdr=adm
in (1001/0), delay=00:00:01, xdelay=00:00:01, mailer=relay, pri=30094, relay=[127.0.0.1] [127
.0.0.1], dsn=2.0.0, stat=Sent (m8L4hIcA006834 Message accepted for delivery)

 Reply To This Message  |  Forum List  |  Flat View   Newer Topic  |  Older Topic 

 Topics Author  Date
 sshd hacked?   new
fischb22 21-09-08 05:08 
 Re: sshd hacked?   new
Dan 22-09-08 04:15 
 Re: sshd hacked?   new
fischb22 22-09-08 15:48 
 Re: sshd hacked?   new
Dan 22-09-08 15:50 
 Re: sshd hacked?   new
olyander 22-09-08 20:39 
 Re: sshd hacked?   new
Dan 22-09-08 20:53 
 Re: sshd hacked?   new
fischb22 23-09-08 02:37 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org