SSHD is writing to /usr/include/gpmh2.h ???

Support for security such as Firewalls and securing linux
Post Reply
JamieStrachan
Posts: 1
Joined: 2007/09/14 19:43:22

SSHD is writing to /usr/include/gpmh2.h ???

Post by JamieStrachan » 2007/09/14 20:17:24

Hello,

I can no longer launch ssh as anyone but root, and I traced it down to the fact that when I enter my password for the remote server into ssh, it attempts to open the file /usr/include/gpmh2.h for writing. ssh segfaults and dies, as that file is writable only by root.

So, I looked in that file, and it contains all the username, hosts, and passwords that I have been using with ssh as root.
I have looked at a few other of our systems with CentOS4 and they seem to have the same problem.

Grepping around, it would appear that the string usr/include/gpmh2.h is contained within my sshd binary

I have the following RPM installed, straight off the CentOS 4 iso:
openssh-server-3.9p1-8.RHEL4.12.i386.rpm

I cannot uninstall or reinstall sshd to test if the binary has been tampered with.

My sums for the RPM are as follows:
MD5: 63edacd53f5ded7acdd3c26cbf841bea openssh-server-3.9p1-8.RHEL4.12.i386.rpm
SHA1: be53bd51e11fc4fd2ebbf72988ecc5eb70293798 openssh-server-3.9p1-8.RHEL4.12.i386.rpm

Check your system!

Anyone have any ideas?
Thanks!

User avatar
toracat
Forum Moderator
Posts: 7386
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: SSHD is writing to /usr/include/gpmh2.h ???

Post by toracat » 2007/09/14 21:10:09

Doesn't look good. There is no such file like gpmh2.h and your sums may not seem to match:

https://rhn.redhat.com/errata/RHSA-2006-0044.html

You should disconnect the machine from the network and investigate the system.

michaelnel
Posts: 1478
Joined: 2006/05/29 16:50:11
Location: San Francisco, CA

SSHD is writing to /usr/include/gpmh2.h ???

Post by michaelnel » 2007/09/14 22:46:03

I would suspect that any other systems where you use the same ssh login stuff would also have been hacked by now. You are looking at reinstalling a lot more than the ssh rpm.

Post Reply

Return to “CentOS 4 - Security Support”