Page 1 of 1

SSHD is writing to /usr/include/gpmh2.h ???

Posted: 2007/09/14 20:17:24
by JamieStrachan
Hello,

I can no longer launch ssh as anyone but root, and I traced it down to the fact that when I enter my password for the remote server into ssh, it attempts to open the file /usr/include/gpmh2.h for writing. ssh segfaults and dies, as that file is writable only by root.

So, I looked in that file, and it contains all the username, hosts, and passwords that I have been using with ssh as root.
I have looked at a few other of our systems with CentOS4 and they seem to have the same problem.

Grepping around, it would appear that the string usr/include/gpmh2.h is contained within my sshd binary

I have the following RPM installed, straight off the CentOS 4 iso:
openssh-server-3.9p1-8.RHEL4.12.i386.rpm

I cannot uninstall or reinstall sshd to test if the binary has been tampered with.

My sums for the RPM are as follows:
MD5: 63edacd53f5ded7acdd3c26cbf841bea openssh-server-3.9p1-8.RHEL4.12.i386.rpm
SHA1: be53bd51e11fc4fd2ebbf72988ecc5eb70293798 openssh-server-3.9p1-8.RHEL4.12.i386.rpm

Check your system!

Anyone have any ideas?
Thanks!

Re: SSHD is writing to /usr/include/gpmh2.h ???

Posted: 2007/09/14 21:10:09
by toracat
Doesn't look good. There is no such file like gpmh2.h and your sums may not seem to match:

https://rhn.redhat.com/errata/RHSA-2006-0044.html

You should disconnect the machine from the network and investigate the system.

SSHD is writing to /usr/include/gpmh2.h ???

Posted: 2007/09/14 22:46:03
by michaelnel
I would suspect that any other systems where you use the same ssh login stuff would also have been hacked by now. You are looking at reinstalling a lot more than the ssh rpm.