[BlueOnyx:06969] Re: Failed Open SSH yum update
Stephanie Sullivan
ses at aviaweb.com
Sun Apr 10 13:09:11 -05 2011
> -----Original Message-----
> From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-
> bounces at blueonyx.it] On Behalf Of Gerald Waugh
> Sent: Sunday, April 10, 2011 1:43 PM
> To: BlueOnyx General Mailing List
> Cc: ma at ciic.com
> Subject: [BlueOnyx:06968] Re: Failed Open SSH yum update
> On Sun, 2011-04-10 at 12:27 -0400, Stephanie Sullivan wrote:
> > > From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-
> bounces at blueonyx.it]
> > > On Behalf Of Michael Aronoff
> > > Sent: Sunday, April 10, 2011 11:48 AM
> > > To: 'BlueOnyx General Mailing List'
> > > Subject: [BlueOnyx:06964] Failed Open SSH yum update
> > >
> > OK, so lost in the mess with the Apache update that was causing
> problems I
> > > noticed that an update to OpenSSH from the CentOS base repo is
> failing on
> > > my BO machines. I get the following during yum update:
> > >
> > > Running Transaction
> > > Updating : openssh-server
> > > 67/224
> > > Error unpacking rpm package openssh-server-4.3p2-72.el5.i386
> > > error: unpacking of archive failed on file /usr/sbin/sshd: cpio:
> rename
> > > Updating : openssh-clients
> > > 68/224
> > > Error unpacking rpm package openssh-clients-4.3p2-72.el5.i386
> > > error: unpacking of archive failed on file /usr/bin/ssh: cpio:
> rename
> > >
> > > Failed:
> > > openssh-clients.i386 0:4.3p2-72.el5
> > > openssh-server.i386 0:4.3p2-72.el5
> > >
> > > Anyone have any ideas?
> > > M Aronoff Out
> >
> > I have an idea - please to a:
> > lsattr /usr/sbin/sshd /usr/bin/ssh
> >
> > If you get permissions other than a series of "-" characters you've
> been hacked. Look for a file in your /lib directory with usernames
> and passwords used for ssh'ing into your VPS.
> >
> > Hope this isn't the case.
>
> there maybe a file
> /lib/initr
> that will have ssh connected users and passwords
> --
> Gerald Waugh
> Front Street Networks
> http://www.frontstreetnetworks.com
> +1 318-670-8312
> cell 318-401-0428
Gerald,
Have you figured out how they got in? My log review showed servers hit with
attempts at the proftpd exploit that was patched in late 2010. I think that
is unlikely as a vector of entry, but I came up with nothing else. Given
that several folks servers have been compromised by this I'm interested in
knowing the how and any effective defense short of pulling the power. :-)
Thanks for remembering the name of the file in /lib which I could not
recall.
-Stephanie
More information about the Blueonyx
mailing list