freebsd security - Nov 2010 - ssh binary modified

Hi,

I've just found a problem with ssh on one of my servers, I'm hoping
someone
can give me some insight into what's caused the problem.

When I try to use scp or ftp I get the following error:
command-line: line 0: Bad configuration option: PermitLocalCommand
lost connection

I've just noticed my /usr/bin/ssh binary was modified two days ago although
no updates have been run.

I've noticed a strange new file: /etc/ssh/.sshd_auth
This has file permission 755 and contained two entries of my plain text
login:
myuser:clearpassword
myuser:clearpassword

FreeBSD hostname 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC
2009     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64

OpenSSH_5.2p1 FreeBSD-20090522, SSH protocols 1.5/2.0, OpenSSL 0x009080bf

MD5 (/usr/bin/ssh) = 39d889822b743a86ab150e12692c85b7

Has anyone seen the file /etc/ssh/.sshd_auth before?

Cheers

-- 
Regards
Nick Knight

In message <AANLkTi=eaYSFJygru1NBqkNTBoC=2oKLuDJ1XGkMpEsC@mail.gmail.com>,
Nick
 Knight writes:
>I've just found a problem with ssh on one of my servers, I'm hoping
someone
>can give me some insight into what's caused the problem.
You've been hacked.

Reinstall from trusted media.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

On 11/26/10 8:55:58 AM, Nick Knight wrote:
> Hi,
>
> I've just found a problem with ssh on one of my servers, I'm hoping
someone
> can give me some insight into what's caused the problem.
>
> When I try to use scp or ftp I get the following error:
> command-line: line 0: Bad configuration option: PermitLocalCommand
> lost connection
>
> I've just noticed my /usr/bin/ssh binary was modified two days ago
although
> no updates have been run.
>
> I've noticed a strange new file: /etc/ssh/.sshd_auth
> This has file permission 755 and contained two entries of my plain text
> login:
> myuser:clearpassword
> myuser:clearpassword
>
> FreeBSD hostname 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08
UTC
> 2009     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>
> OpenSSH_5.2p1 FreeBSD-20090522, SSH protocols 1.5/2.0, OpenSSL 0x009080bf
>
> MD5 (/usr/bin/ssh) = 39d889822b743a86ab150e12692c85b7
>
> Has anyone seen the file /etc/ssh/.sshd_auth before?
I don't have that file on any of my servers, and it's not referenced in 
any of the documentation.

I would assume that your server has been compromised, along with your
password.  I would get that server offline and do either forensics or a
clean rebuild (depending on your situation)

If I were you, I would also assume that any accounts that share that
password are also compromised.  Change the password everywhere, and if
you use it for online banking or other financial stuff, notify your bank
and have credit or debit cards reissued.

Good luck,
Bill