Possible SSH Compromise - Is OpenSSH VULN!?!


Jul 25, 2005
In openssh-3.6.1p2-33.30.6 vulnarable? This is the version of Openssh on my RHEL3 server.

When we secured the box, we moved ssh to another port and disabled root logins. We moved it to port 7755 lets say and enabled SSH 2 and disabled root logins.

When we attempted to login to the server today, on port 7755, we noticed we could not login. Trying repeatedly gave us the same denied login error. Baffled as to why, we tried port 22 and low and behold the login was successful. Also, the last repoted login shows nothing, just blank. It used to always show the last reported logged in user. STRANGE!

Upon investigation we find that sshd_config has been reset to port 22 by
sombodoy on April 12. It was not us. Everthing in sshd_config has been commented out.

It used to look like this;

Port 7755
Protocol 2
#ListenAddress ::

Now it looks like this;

#Port 7755
#Protocol 2,1
#ListenAddress ::

I scoured 4 weeks of log and cannot find the point of entry and the box is
clean. There is no evidence of a root but ssh has been set back to to port 22, very odd.

Yes we have many many people pounding port 22 over 1,900 yesterday according to logwatch, None of our users have SSH access.

I looked at /etc/password and counted up all the valid users accounts in the password file which comes 50 valid accounts. In whm the number of valid users setup is 49. That means there is one extra account in /etc/password unaccounted for. I looked again then i found it.

It this line, the second to last entry in /etc/passwd, sshd:x:32052:32052::/home/sshd:/bin/bash thats pointing to /home and /bin/bash.

I looked in /home and found a /home/sshd account with only 3 files in them

drwx------ 2 sshd sshd 4096 Mar 20 04:52 ./
drwx--x--x 53 root root 4096 Apr 24 09:26 ../
-rw-r--r-- 1 sshd sshd 24 Mar 20 04:52 .bash_logout
-rw-r--r-- 1 sshd sshd 191 Mar 20 04:52 .bash_profile
-rw-r--r-- 1 sshd sshd 124 Mar 20 04:52 .bashrc

Which doesnt make sense since we did not create this account and its not in

In the /etc/passwd file i find an entry, second from the last for sshd that
looks like this.


Can anyone verify that sshd should be pointing to /bin/bash? It doesnt look right to me.

I compared that sshd account with another one of our RHEL3 boxes and it looks
very different. On that box sshd looks like this;

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

Can i simply modify this using vipw to point back to the proper directory or can i remove it?

The box is as clean as a whisle, if sombody did get root why did they not root the server completely?
Last edited:


Jul 25, 2005
I was looking at the possiblity that somebody used the USERHELP vuln that was found in RH 6.x so many years ago to esculate themselves to root level access.

I do not see this on any other RHEL3 server but i see it at 4:37am everyday. I dont know where it coming from since there is no cron in /etc/cron.daily that i can see that executing it but it does run everyday. As i said i see it in the secure log file.

Anyone know what this is?

Apr 30 04:37:24 server userhelper[2793]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'
Apr 30 04:37:24 server userhelper[2797]: running '/usr/sbin/up2date --nox -i bind bind-devel bind-utils bzip2 expect freetype freetype-devel gcc gd gd-devel gd-progs gd-utils gnupg libgd1 libgd1-devel libmysqlclient10-dev lynx openssh openssh-clients openssh-server openssl openssl-devel openssl-misc perl-CPAN pine sharutils ucd-snmp ucd-snmp-devel ucd-snmp-utils wget XFree86-devel XFree86-libs' with root privileges on behalf of 'root'
Apr 30 04:37:28 server userhelper[2808]: pam_timestamp: updated timestamp file `/var/run/sudo/root/unknown'
Apr 30 04:37:28 server userhelper[2812]: running '/usr/sbin/up2date --nox -u' with root privileges on behalf of 'root'


Well-Known Member
May 19, 2004
Sorry for the huge kick, but I now have the same problem. Every day this gets run and the server becomes unreachable via http, mai, ftp, ssh but is still responsing to pings.