LinuxSA Mailing list archives

  From: Alain Satre <alain@messagebay.com>
  To  : <linuxsa@linuxsa.org.au>
  Date: Fri, 09 Feb 2001 12:26:53 -0800

SSH Question

Recently some of our RedHat6.2 servers were penetrated through a common
exploit in rpc services.  Afterward, patching and reloadin, we have
noticed that some of our hosts give this message when we attempt an ssh
connection.  Im wondering what could have been done to cause this?  I
know I can probally just re-key the whole setup, but I wanted to know
what the intruders may have done.  The warning alone states a "man in
the middle" attack but im not familiar with it.  Any ideas?  Should I
just wipe out all keys and start over and be done with it?   Or is this
worth investigating further?

[root@embpc14 /tmp]# ssh 10.1.2.106
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle
attack)!
It is also possible that the RSA host key has just been changed.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this
message.
RSA host key for 10.1.2.106 has changed and you have requested strict
checking.


Alain Satre
SysAdmin Generalist



-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject