[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] sshd logins without a source

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] sshd logins without a source
From: Nikolaos Mitsis <drynhwyl@xxxxxxxxx>
Date: Sat, 24 Sep 2011 23:24:25 +0300

> At the time of the compromise I can see in each
> servers sshd logs an entry like the following:
>
> Sep 22 12:57:14 test-vm sshd[25002]: pam_unix(sshd:session): session
> opened for user root by (uid=0)
> Sep 22 12:57:32 test-vm sshd[25002]: pam_unix(sshd:session): session
> closed for user root
>

Have you checked the integrity of sshd binary? It could be replaced with a
copy that "forgets" to log so you don't get the sshd logs (possibly after
receiving a specified password).
However the above logs are from pam (pam_unix does the logging on behalf of
sshd) so it's not possible to disable this in the sshd binary itself.

cheers,
ν.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication
Next by Date: Re: [Full-disclosure] sshd logins without a source
Previous by thread: Re: [Full-disclosure] sshd logins without a source
Next by thread: [Full-disclosure] [Announcement] Reminder: ClubHack 2011 Call for Papers Closes on 15th October
Index(es):
- Date
- Thread