In openssh-3.6.1p2-33.30.6 vulnarable? This is the version of Openssh on my RHEL3 server.
When we secured the box, we moved ssh to another port and disabled root logins. We moved it to port 7755 lets say and enabled SSH 2 and disabled root logins.
When we attempted to login to the server today, on port 7755, we noticed we could not login. Trying repeatedly gave us the same denied login error. Baffled as to why, we tried port 22 and low and behold the login was successful. Also, the last repoted login shows nothing, just blank. It used to always show the last reported logged in user. STRANGE!
Upon investigation we find that sshd_config has been reset to port 22 by
sombodoy on April 12. It was not us. Everthing in sshd_config has been commented out.
It used to look like this;
Port 7755
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
Now it looks like this;
#Port 7755
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
I scoured 4 weeks of log and cannot find the point of entry and the box is
clean. There is no evidence of a root but ssh has been set back to to port 22, very odd.
Yes we have many many people pounding port 22 over 1,900 yesterday according to logwatch, None of our users have SSH access.
I looked at /etc/password and counted up all the valid users accounts in the password file which comes 50 valid accounts. In whm the number of valid users setup is 49. That means there is one extra account in /etc/password unaccounted for. I looked again then i found it.
It this line, the second to last entry in /etc/passwd, sshd:x:32052:32052::/home/sshd:/bin/bash thats pointing to /home and /bin/bash.
I looked in /home and found a /home/sshd account with only 3 files in them
drwx------ 2 sshd sshd 4096 Mar 20 04:52 ./
drwx--x--x 53 root root 4096 Apr 24 09:26 ../
-rw-r--r-- 1 sshd sshd 24 Mar 20 04:52 .bash_logout
-rw-r--r-- 1 sshd sshd 191 Mar 20 04:52 .bash_profile
-rw-r--r-- 1 sshd sshd 124 Mar 20 04:52 .bashrc
Which doesnt make sense since we did not create this account and its not in
WHM.
In the /etc/passwd file i find an entry, second from the last for sshd that
looks like this.
sshd:x:32052:32052::/home/sshd:/bin/bash
promoart:x:32053:32053::/home/promoart:/usr/local/cpanel/bin/noshell
Can anyone verify that sshd should be pointing to /bin/bash? It doesnt look right to me.
I compared that sshd account with another one of our RHEL3 boxes and it looks
very different. On that box sshd looks like this;
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
Can i simply modify this using vipw to point back to the proper directory or can i remove it?
The box is as clean as a whisle, if sombody did get root why did they not root the server completely?
When we secured the box, we moved ssh to another port and disabled root logins. We moved it to port 7755 lets say and enabled SSH 2 and disabled root logins.
When we attempted to login to the server today, on port 7755, we noticed we could not login. Trying repeatedly gave us the same denied login error. Baffled as to why, we tried port 22 and low and behold the login was successful. Also, the last repoted login shows nothing, just blank. It used to always show the last reported logged in user. STRANGE!
Upon investigation we find that sshd_config has been reset to port 22 by
sombodoy on April 12. It was not us. Everthing in sshd_config has been commented out.
It used to look like this;
Port 7755
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
Now it looks like this;
#Port 7755
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
I scoured 4 weeks of log and cannot find the point of entry and the box is
clean. There is no evidence of a root but ssh has been set back to to port 22, very odd.
Yes we have many many people pounding port 22 over 1,900 yesterday according to logwatch, None of our users have SSH access.
I looked at /etc/password and counted up all the valid users accounts in the password file which comes 50 valid accounts. In whm the number of valid users setup is 49. That means there is one extra account in /etc/password unaccounted for. I looked again then i found it.
It this line, the second to last entry in /etc/passwd, sshd:x:32052:32052::/home/sshd:/bin/bash thats pointing to /home and /bin/bash.
I looked in /home and found a /home/sshd account with only 3 files in them
drwx------ 2 sshd sshd 4096 Mar 20 04:52 ./
drwx--x--x 53 root root 4096 Apr 24 09:26 ../
-rw-r--r-- 1 sshd sshd 24 Mar 20 04:52 .bash_logout
-rw-r--r-- 1 sshd sshd 191 Mar 20 04:52 .bash_profile
-rw-r--r-- 1 sshd sshd 124 Mar 20 04:52 .bashrc
Which doesnt make sense since we did not create this account and its not in
WHM.
In the /etc/passwd file i find an entry, second from the last for sshd that
looks like this.
sshd:x:32052:32052::/home/sshd:/bin/bash
promoart:x:32053:32053::/home/promoart:/usr/local/cpanel/bin/noshell
Can anyone verify that sshd should be pointing to /bin/bash? It doesnt look right to me.
I compared that sshd account with another one of our RHEL3 boxes and it looks
very different. On that box sshd looks like this;
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
Can i simply modify this using vipw to point back to the proper directory or can i remove it?
The box is as clean as a whisle, if sombody did get root why did they not root the server completely?
Last edited:
