Results 1 to 13 of 13
  1. #1
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,163

    Strange Root SSH Problem

    Hi,

    Wondering if anyone has seen anything like this before, and has a fix for it ...

    Sites were loading slowly, so I decided to log in to shell to see what was going on. When I try to log in I constantly get access denied as root, which is very strange ... never happened before.

    First I thought hmm compromised box, but the same root password works for WHM??? I could get in do anything I want, I restarted OpenSSH from WHM, changed the root pass, then rebooted, same problem still can't get in...?

    Any ideas folks?

    Dan

  2. #2
    Join Date
    Jan 2004
    Location
    Canada
    Posts
    130
    Your box probably is compromised. SSHd (OpenSSH) has probably been replaced with a version which sniffs your passwords. Of course I cannot be completely sure this is your issue as I'm not actually looking at your box. I would suggest, however, if you can get into SSH in the future to run Rootkit Hunter and Chkrootkit.
    Justin Cassidy, Accentra Inc.
    www.faxmicro.com :: Your Internet Fax Solution
    www.tollfreeexpress.com :: Hosted PBX Solutions

  3. #3
    Join Date
    Oct 2003
    Location
    Hanoi
    Posts
    4,306
    Dan, if you create a shell user (not root), can you login your box by that user?

  4. #4
    Join Date
    Aug 2004
    Location
    ring0
    Posts
    110
    Maybe accidently changed/updated "permit root login" in sshd_config to "no" ?
    SERVERAXIS The arms dealer for startups
    SSD VPS and HDD Storage VPS
    Bare Metal Dedicated Servers
    Chicago - Miami

  5. #5
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,163
    Originally posted by gate2vn
    Dan, if you create a shell user (not root), can you login your box by that user?
    Nope... getting access denied to everything on the SSH side now.

  6. #6
    Join Date
    Oct 2003
    Location
    Hanoi
    Posts
    4,306
    maybe need your techs in DC take a look in SSH config, disable

    AllowUsers root
    AllowUsers yourwheelgroupusername

    at the end of config file, then restart SSH service and try again

  7. #7
    Join Date
    Mar 2001
    Posts
    1,434
    Could be an ssh attack, brute force password type, that floods ssh and does not allow any other connections. I've seen this a few times.

    - John C.

  8. #8
    Join Date
    Aug 2004
    Location
    ring0
    Posts
    110
    are you able to read /var/log/messages or /var/log/secure ?
    SERVERAXIS The arms dealer for startups
    SSD VPS and HDD Storage VPS
    Bare Metal Dedicated Servers
    Chicago - Miami

  9. #9
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    Originally posted by ServerDave
    are you able to read /var/log/messages or /var/log/secure ?
    If he can't login, how's he supposed to read that?
    Dan, try to reinstall the opensssh packages from WHM. This should replace the sshd binary which is probably hacked.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Is this a 64bit box? There is a problem that is poping up randomly where the rpms from a wrong branch (i386) is getting installed causing openssh auth with pam from working. (centos 3.4 i have seen it on several times). I find it amusing most people go stright for the compromised solution, theres several reasons why this can happen.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    Join Date
    Jul 2003
    Location
    Texas
    Posts
    785
    Are you getting a 'denied' message or is it timing out? I have seen similar problems with broken /etc/resolv.conf entries or a dead resolver. The DNS lookup will timeout during the reverse lookup and drop your connection.



    Thanks,

    Jeremy

  12. #12
    Join Date
    Aug 2004
    Location
    ring0
    Posts
    110
    Originally posted by linux-tech
    If he can't login, how's he supposed to read that?
    Dan, try to reinstall the opensssh packages from WHM. This should replace the sshd binary which is probably hacked.
    You never know, ftp maybe? rsync? script? I do not know what other processes there are running on that box... but obviously he won't be able to read them with ssh or sftp. Being able to read the logs might shed some light on the cause of the problem.
    SERVERAXIS The arms dealer for startups
    SSD VPS and HDD Storage VPS
    Bare Metal Dedicated Servers
    Chicago - Miami

  13. #13
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,163
    Originally posted by thelinuxguy
    Is this a 64bit box? There is a problem that is poping up randomly where the rpms from a wrong branch (i386) is getting installed causing openssh auth with pam from working. (centos 3.4 i have seen it on several times). I find it amusing most people go stright for the compromised solution, theres several reasons why this can happen.
    Sounds exactly like it, im on 3.4 x64.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •