My first guess too was a vulnerable rpc.stad/portmapper, because the network segment one of the cracked machines resided in received (and receives) a shitload of portmapper and ftp scans, but after some more research and several talks we had with admins of other affected systems, we came to the conclusion that a flaw in the SSH1 protocol has been used to break into the two said systems.
The game is ever the same - you have to harden your box - install a patches - read the tickers 4 new vulns and so more. harden : http://www.suse.com/~marc/harden_suse-3.5.tar.gz after running you've to enable services in /etc/host.allow|deny patches : http://www.suse.com/en/support/download/updates/72_i386.html To hard your sshd you may want to use protokoll 2 only: do ssh-keygen -d and modify /etc/sss/sshd_config as follows -- Protocol 1,2 ++ Protocol 2 -- PermitRootLogin Yes ++ PermitRootLogin no -- X11Forwarding Yes ++ X11Forwarding no further comments welcome killall -HUP sshd (kills all opened connections too :O)_ Was this helpful ? Michael Appeldorn