From owner-freebsd-security@FreeBSD.ORG Sat Nov 27 13:05:46 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3DCF3106566C for ; Sat, 27 Nov 2010 13:05:46 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id E0C518FC15 for ; Sat, 27 Nov 2010 13:05:45 +0000 (UTC) Received: from localhost (c-67-171-66-177.hsd1.pa.comcast.net [67.171.66.177]) (AUTH: PLAIN wmoran, SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Sat, 27 Nov 2010 07:55:42 -0500 id 0003F407.000000004CF0FFCE.00003B2F Date: Sat, 27 Nov 2010 07:55:43 -0500 From: Bill Moran To: nick@stormunix.co.uk Message-Id: <20101127075543.f4539aec.wmoran@collaborativefusion.com> In-Reply-To: References: Organization: Collaborative Fusion X-Mailer: Sylpheed 3.0.2 (GTK+ 2.18.7; i386-portbld-freebsd8.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: ssh binary modified X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Nov 2010 13:05:46 -0000 On 11/26/10 8:55:58 AM, Nick Knight wrote: > Hi, > > I've just found a problem with ssh on one of my servers, I'm hoping someone > can give me some insight into what's caused the problem. > > When I try to use scp or ftp I get the following error: > command-line: line 0: Bad configuration option: PermitLocalCommand > lost connection > > I've just noticed my /usr/bin/ssh binary was modified two days ago although > no updates have been run. > > I've noticed a strange new file: /etc/ssh/.sshd_auth > This has file permission 755 and contained two entries of my plain text > login: > myuser:clearpassword > myuser:clearpassword > > FreeBSD hostname 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC > 2009 root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 > > OpenSSH_5.2p1 FreeBSD-20090522, SSH protocols 1.5/2.0, OpenSSL 0x009080bf > > MD5 (/usr/bin/ssh) = 39d889822b743a86ab150e12692c85b7 > > Has anyone seen the file /etc/ssh/.sshd_auth before? I don't have that file on any of my servers, and it's not referenced in any of the documentation. I would assume that your server has been compromised, along with your password. I would get that server offline and do either forensics or a clean rebuild (depending on your situation) If I were you, I would also assume that any accounts that share that password are also compromised. Change the password everywhere, and if you use it for online banking or other financial stuff, notify your bank and have credit or debit cards reissued. Good luck, Bill