On Fri, 23 Sep 2011 11:45:35 +0800, BH said: > Hi, > > I am taking a look at a few different servers that have been rooted at > around the same time. At the time of the compromise I can see in each > servers sshd logs an entry like the following: > > Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session > opened for user root by (uid=0) > Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session > closed for user root Well, my first guess is the guys managed to wipe some but not all the log entries, using anything from sed to perl to cat to.. ;) But if you need alternate theories, here's one (untested) one for you: At least at one time, it was possible (though discouraged) to launch sshd from inetd, rather than having an sshd running all the time. In that case, inetd would catch the incoming connection, and spawn an sshd with file descriptors 0,1,2 pre-connected to the socket. That code path may have assumed that inetd would have done the connection logging and thus not logged it. This would impliy that either the attacker got an sshd entry into inetd.conf, or that he got code executed on the machine in ohther ways, and then fork/ exec'ed an ssh the same way inetd would (which would be odd, as fork/exec'ing /bin/bash would be a lot more productive ;) Of course, I haven't had my caffeine yet, so... ;)
Attachment:
pgpCPxshs78pk.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/