either openssh update breaks auditing, or I've a rootkit!?

Support for security such as Firewalls and securing linux
Post Reply
dangerousdave
Posts: 2
Joined: 2006/03/21 15:31:16

either openssh update breaks auditing, or I've a rootkit!?

Post by dangerousdave » 2006/03/22 00:24:12

Hi

I'm new to Centos, and I have a server running from the most recent snapshot my vps service provides (4.1). I've noticed that after running "yum update openssh", that "who" and "last" return nothing, and that /var/run/utmp isn't updated with new logins.

The collection of packages with this update are...

openssh-3.9p1-8.RHEL4.12
openssh-clients-3.9p1-8.RHEL4.12
openssh-server-3.9p1-8.RHEL4.12
audit-libs-1.0.12-1.EL4pam-0.77-66.14
pam-0.77-66.14


Am I just paranoid, or might I have been dealt an update from a dodgey repository and now have a rootkit on my system? :-o

dangerousdave
Posts: 2
Joined: 2006/03/21 15:31:16

Re: either openssh update breaks auditing, or I've a rootkit!?

Post by dangerousdave » 2006/03/22 17:05:03

So, my question is...

Has anyone else noticed their auditing disappear after updating openssh? And is it just a bug with the ssh server?


Also, I like the idea of centos-yumconf, whereby update sources are automatically allocated according to the machine's geographic location, but not necessarily from a security point of view. I haven't found an easy way yet to trace which server the update packages are actually coming from (unless I do a netstat at the time).

Is there some kind of report I can get out of yum which tells me which server packages originated from? And can I override centos-yumconf, so that I can explicity set update repositories I trust?

Cheers,

ghostspace
Posts: 7
Joined: 2006/03/30 02:34:31

Re: either openssh update breaks auditing, or I've a rootkit!?

Post by ghostspace » 2006/03/30 02:36:38

[quote]
dangerousdave wrote:
Hi

I'm new to Centos, and I have a server running from the most recent snapshot my vps service provides (4.1). I've noticed that after running "yum update openssh", that "who" and "last" return nothing, and that /var/run/utmp isn't updated with new logins.

The collection of packages with this update are...

openssh-3.9p1-8.RHEL4.12
openssh-clients-3.9p1-8.RHEL4.12
openssh-server-3.9p1-8.RHEL4.12
audit-libs-1.0.12-1.EL4pam-0.77-66.14
pam-0.77-66.14


Am I just paranoid, or might I have been dealt an update from a dodgey repository and now have a rootkit on my system? :-o[/quote]


I've experienced the same problem.
Any ideas when we can see a fix to the openssh?

ghostspace
Posts: 7
Joined: 2006/03/30 02:34:31

Re: either openssh update breaks auditing, or I've a rootkit!?

Post by ghostspace » 2006/03/30 03:09:24

This was a bug in the earlier versions of this release and were supposed to be fixed in .9 and definitely in .12 which is this release.

This shows that its not fixed but I'm not sure how to fix it.

Post Reply

Return to “CentOS 4 - Security Support”