Concerned about possible crack, ssh warning message
Ok, there's the thing. Take everything from here down with a large grain of salt because right now I'm paranoid and apt to jump to conclusions hastily. I have a few test servers that we use for all kinds of misc. hacking and testing. I was just looking at one and noticed some things I'm not happy with that make me conclude this box is at least _possibly_ cracked. However, remember we use this as a do-anything-to-it-it-doesn't-matter test box - unstable software and the works, it's a throw-away-install on our LAN. Because of this I can't be sure one of the other guys that have root haven't done the things I'm eying suspiciously Anyway I'm currently alarmed because the box I'm eyeing is testbox2, and I just tried to ssh from testbox1 to testbox2 and got the following message: jw@suse1:~ > ssh jw@suse2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA1 host key has just been changed. The fingerprint for the RSA1 key sent by the remote host is 73:40:ed:40:fd:65:0a:bb:77:a9:2f:f7:9a:2e:54:62. Please contact your system administrator. Add correct host key in /home/jw/.ssh/known_hosts to get rid of this message. Offending key in /home/jw/.ssh/known_hosts:5 RSA1 host key for emerald has changed and you have requested strict checking. jw@suse1:~ > The last time I ssh'd from 1 to 2 was about 5 hours ago and I received no such message. box2 has _not_ been rebooted, I know because my VNC session was running with my apps open just the way I set them up. I really, really doubt any of the other admins restarted sshd, but *maybe*. Also, I've seen messages in /var/log/* before about ssh regenerating the key but there are none today. What do you think? ---------------------------------------------------- Jonathan Wilson System Administrator Cedar Creek Software http://www.cedarcreeksoftware.com Central Texas IT http://www.centraltexasit.com
jw@suse1:~ > ssh jw@suse2 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA1 host key has just been changed. The fingerprint for the RSA1 key sent by the remote host is 73:40:ed:40:fd:65:0a:bb:77:a9:2f:f7:9a:2e:54:62. Please contact your system administrator. Add correct host key in /home/jw/.ssh/known_hosts to get rid of this message. Offending key in /home/jw/.ssh/known_hosts:5 RSA1 host key for emerald has changed and you have requested strict checking. jw@suse1:~ >
The last time I ssh'd from 1 to 2 was about 5 hours ago and I received no such message. box2 has _not_ been rebooted, I know because my VNC session was running with my apps open just the way I set them up. I really, really doubt any of the other admins restarted sshd, but *maybe*. Also, I've seen messages in /var/log/* before about ssh regenerating the key but there are none today.
These messages in /var/log have nothing to do with the server's public key (that your ssh client was about to verify as it found that it's different from the last time). There are three options. 1) Some other machine stole the ip address of suse2, or a man-in-the-middle attack is in place. 2) The ip address of your host suse2 changed in the dns or elsewhere. By consequence, you actually connect to some other box. 3) Somebody re-generated the hostkey manually, but that seems less likely.
What do you think?
I vote for option 1. You could see your /home/jw/.ssh/known_hosts file if you find the key that it's talking about, maybe with a different ip address. This way it should be easy to find out. Run arpwatch to see what's going on in the network in terms of changing ip addresses. Roman.
Hi, > > jw@suse1:~ > ssh jw@suse2 > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > 1) Some other machine stole the ip address of suse2, or a > man-in-the-middle attack is in place. > 2) The ip address of your host suse2 changed in the dns or elsewhere. By > consequence, you actually connect to some other box. > 3) Somebody re-generated the hostkey manually, but that seems less likely. Sorry, but I have a 4th possibility (something like 3b): We tracked down 5 hacked customer's servers where all the host keys have been changed. Crawling through the leftovers of the crackers we learned that they've downloaded the sources of modified ssh servers but with unmodified installation routines. So after "make ; make install" they created a new host key. Look for recently modified files, esp. in /dev, /bin, /sbin, /usr/local. We found files and dirs like /.bash_history /dev/hda08 "/usr/man/man1/.. " (that's dot-dot-space-space) and some modified startup scripts in /etc/init.d Also some log files where symlinked to /dev/null Don't rely on "ls", better use "lsattr" to check for hidden or changed files. Bye, Gerhard
participants (3)
-
Gerhard Strößner -
JW -
Roman Drahtmueller