31 Jan
2002
31 Jan
'02
20:07
Hi, > > jw@suse1:~ > ssh jw@suse2 > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > 1) Some other machine stole the ip address of suse2, or a > man-in-the-middle attack is in place. > 2) The ip address of your host suse2 changed in the dns or elsewhere. By > consequence, you actually connect to some other box. > 3) Somebody re-generated the hostkey manually, but that seems less likely. Sorry, but I have a 4th possibility (something like 3b): We tracked down 5 hacked customer's servers where all the host keys have been changed. Crawling through the leftovers of the crackers we learned that they've downloaded the sources of modified ssh servers but with unmodified installation routines. So after "make ; make install" they created a new host key. Look for recently modified files, esp. in /dev, /bin, /sbin, /usr/local. We found files and dirs like /.bash_history /dev/hda08 "/usr/man/man1/.. " (that's dot-dot-space-space) and some modified startup scripts in /etc/init.d Also some log files where symlinked to /dev/null Don't rely on "ls", better use "lsattr" to check for hidden or changed files. Bye, Gerhard