[BlueOnyx:06986] Re: Failed Open SSH yum update

Christoph Schneeberger cschnee at box.telemedia.ch
Mon Apr 11 06:06:50 -05 2011 

Stephanie Sullivan wrote:
>> -----Original Message-----
>> From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-
>> bounces at blueonyx.it] On Behalf Of Gerald Waugh
>> Sent: Sunday, April 10, 2011 1:43 PM
>> To: BlueOnyx General Mailing List
>> Cc: ma at ciic.com
>> Subject: [BlueOnyx:06968] Re: Failed Open SSH yum update
>> On Sun, 2011-04-10 at 12:27 -0400, Stephanie Sullivan wrote:
>>     
>>>> From: blueonyx-bounces at blueonyx.it [mailto:blueonyx-
>>>>         
>> bounces at blueonyx.it]
>>     
>>>> On Behalf Of Michael Aronoff
>>>> Sent: Sunday, April 10, 2011 11:48 AM
>>>> To: 'BlueOnyx General Mailing List'
>>>> Subject: [BlueOnyx:06964] Failed Open SSH yum update
>>>>
>>>>         
>>> OK, so lost in the mess with the Apache update that was causing
>>>       
>> problems I
>>     
>>>> noticed that an update to OpenSSH from the CentOS base repo is
>>>>         
>> failing on
>>     
>>>> my BO machines. I get the following during yum update:
>>>>
>>>> Running Transaction
>>>>  Updating       : openssh-server
>>>> 67/224
>>>> Error unpacking rpm package openssh-server-4.3p2-72.el5.i386
>>>> error: unpacking of archive failed on file /usr/sbin/sshd: cpio:
>>>>         
>> rename
>>     
>>>>  Updating       : openssh-clients
>>>> 68/224
>>>> Error unpacking rpm package openssh-clients-4.3p2-72.el5.i386
>>>> error: unpacking of archive failed on file /usr/bin/ssh: cpio:
>>>>         
>> rename
>>     
>>>> Failed:
>>>>  openssh-clients.i386 0:4.3p2-72.el5
>>>> openssh-server.i386 0:4.3p2-72.el5
>>>>
>>>> Anyone have any ideas?
>>>> M Aronoff Out
>>>>         
>>> I have an idea - please to a:
>>> lsattr /usr/sbin/sshd /usr/bin/ssh
>>>
>>> If you get permissions other than a series of "-" characters you've
>>>       
>> been hacked. Look for a file in your /lib directory with usernames
>> and passwords used for ssh'ing into your VPS.
>>     
>>> Hope this isn't the case.
>>>       
>> there maybe a file
>>     /lib/initr
>> that will have ssh connected users and passwords
>> --
>> Gerald Waugh
>> Front Street Networks
>> http://www.frontstreetnetworks.com
>> +1 318-670-8312
>> cell 318-401-0428
>>     
>
> Gerald,
>
> Have you figured out how they got in? My log review showed servers hit with
> attempts at the proftpd exploit that was patched in late 2010. I think that
> is unlikely as a vector of entry, but I came up with nothing else. Given
> that several folks servers have been compromised by this I'm interested in
> knowing the how and any effective defense short of pulling the power. :-)
>
> Thanks for remembering the name of the file in /lib which I could not
> recall.
>
>     -Stephanie
>   
Hi,

Many of our vps customers seem to have joined this club, I've got the
same problems running the yum upgrade and I have changed ext attributes
on those machines. Do you have additional info about how to get rid of
the intruders, also I would be very interested to work out the vector
they got in in the first place. For the moment I was about to reinstall
openssh rpms , is that a way ?

Thanks in advance for any hints,
Christoph

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20110411/9d1ffb10/attachment.html>

More information about the Blueonyx mailing list