Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
hacked ssh binary
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
spymac
n00b
n00b


Joined: 28 Apr 2016
Posts: 4

PostPosted: Thu Apr 28, 2016 10:14 am    Post subject: hacked ssh binary Reply with quote

Hi, i found in Gentoo server hacked openssh binaries, my question is whether following commands are 100% safe, the system that need repair is a remote server. I'm not a Gentoo user and I have only little experience on it.

# emerge --sync
# emerge portage
# emerge --ask --oneshot --verbose ">=net-misc/openssh-7.1_p2"

current openssh version is OpenSSH_5.9p1-hpn13v11, OpenSSL 1.0.1g 7 Apr 2014


thank you very much
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Thu Apr 28, 2016 11:27 am    Post subject: Reply with quote

There is no repair, reinstall only. Nothing can be trusted in a compromised system.
Back to top
View user's profile Send private message
spymac
n00b
n00b


Joined: 28 Apr 2016
Posts: 4

PostPosted: Thu Apr 28, 2016 11:34 am    Post subject: Reply with quote

This is only temporaly solution for one month, the server will be replaced with a new one. Please help.
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Thu Apr 28, 2016 11:47 am    Post subject: Reply with quote

In my book leaving "owned" box online is not a solution, temporary or not. Sorry.
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2968
Location: Germany

PostPosted: Thu Apr 28, 2016 12:11 pm    Post subject: Reply with quote

If you don't even know how to `emerge openssh`, how can you tell that the binaries are hacked in the first place. :?:
Back to top
View user's profile Send private message
spymac
n00b
n00b


Joined: 28 Apr 2016
Posts: 4

PostPosted: Thu Apr 28, 2016 12:23 pm    Post subject: Reply with quote

I'm not a Gentoo user, so I do not know update/upgrade commands or Gentoo behavior before/after update . I always use Debian. The binaries have changed date, the date is the same as hacked files in /var/www folder. My question is whether it is safe to upgrade openssh, is the only one access to the remote server.
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Thu Apr 28, 2016 1:29 pm    Post subject: Reply with quote

As you do not drive a car without steering and brakes as a temporary solution, you do not leave a compromised box online. This is irresponsible.
Back to top
View user's profile Send private message
spymac
n00b
n00b


Joined: 28 Apr 2016
Posts: 4

PostPosted: Thu Apr 28, 2016 2:59 pm    Post subject: Reply with quote

Thanks for nothing ... Now I know that Gentoo it is useless and vulnerable system without somewhere to get advice or support.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Thu Apr 28, 2016 3:29 pm    Post subject: Reply with quote

spymac wrote:
Thanks for nothing ... Now I know that Gentoo it is useless and vulnerable system without somewhere to get advice or support.

spymac ... no, 1). you did get "advice and support", the machine is compromised and the only advice someone can give you in such as case is to take the machine offline, that is a standard security practice 2). if the machine was compromised via httpd then this has nothing to do with gentoo per se, the blame lies entirely with whomever is maintaining the machine ... so, how the install/httpd/etc was maintained/configured, the code run by httpd, etc, etc. You seem to think not only should we provide bad advice, but that we are responcible for whatever happens on the machine you're maintaining ... you are wrong on both counts.

best ... khay
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 42583
Location: 56N 3W

PostPosted: Thu Apr 28, 2016 4:48 pm    Post subject: Reply with quote

spymac,

You don't have a month. You have no idea what other back doors are on that box. In security, there are no temporary solutions.
Upgrading sshd won't fix it as you have already said that wasn't the way the box was compromised.

Take the box offline and restore it from some known good backups. Then fix the source of the exploit, then put it back online.
You do have backups, don't you?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Thu Apr 28, 2016 8:22 pm    Post subject: Reply with quote

spymac wrote:
The binaries have changed date, the date is the same as hacked files in /var/www folder.

Running web-facing software with root privileges? Then sorry, the distro is immaterial here. Whoever is supposed to be responsible for that machine is in fact an irresponsible moron, and it shouldn't be online at all. Who knows what else they screwed up? Maybe they put the backdoor there?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum