ubuntu 10.10 sshd contains "YOU WANNA SMOKE A SPLIFF" and pot leaf ascii art. Does this mean I've been hacked?

Question

My sshd binary on an ubuntu 10.10 machine contains the following ascii artwork:

ng: %.100sToo many lines in environment file %sUser %.100s not allowed because %s exists            YOU WANNA      .                              
          SMOKE        M      A SPLIFF ?              
                  dM                              
        ROLL ME   MMr   %d TIMES                  
                 4MMML                  .         
                 MMMMM.                xf         
 .               MMMMM               .MM-         
  Mh..           MMMMMM            .MMMM          
  .MMM.         .MMMMML.          MMMMMh          
   )MMMh.        MMMMMM         MMMMMMM           
    3MMMMx.      MMMMMMf      xnMMMMMM            
    '*MMMMM      MMMMMM.     nMMMMMMP             
      *MMMMMx     MMMMM    .MMMMMMM=             
       *MMMMMh    MMMMM    JMMMMMMP               
         MMMMMM   3MMMM.  dMMMMMM            .    
          MMMMMM   MMMM  .MMMMM         .nnMP     
..          *MMMMx  MMM   dMMMM     .nnMMMMM*      
 MMn...     'MMMMr 'MM   MMM    .nMMMMMMM*        
  4MMMMnn..   *MMM  MM  MMP   .dMMMMMMM           
   MMMMMMMx.  *ML   M .M*  .MMMMMM**              
      *PMMMMMMhn. *x > M  .MMMM**                 
           **MMMMhx/.h/ .=*                       
                  .3P %....                       
                nP       *MMnx

I'm assuming that this means that my machine has been hacked. Can anyone confirm this? I can't imagine this being a valid file.

score 20 · Accepted Answer · answered Jan 20 '12 at 17:28

compare grep usr/sbin/sshd /var/lib/dpkg/info/openssh-server.md5sums to md5sum /usr/sbin/sshd. When they come up with different md5sums, you are no longer using the packaged version. If they are the same, it doesn't mean anything definitive, since anyone who is able to modify your sshd binary obviously has privileges to alter the md5sum recorded in /var/lib/dpkg/info. The next step would be to download the package with the same version from http://packages.ubuntu.com/openssh-server to a trusted computer and check the md5sum there.

The md5 sums are indeed different. I have been hacked. Thanks for the pointer! — Josh Knauer, Jan 20 '12 at 17:33

score 0 · Answer 2 · edited Jul 12 '15 at 15:33

0

In the mean time: do not trust password authentication. Use ssh keys for that. Also, restrict console access to the ip's you are known to work from in your firewall. And last: regularly update your server packages.

To mitigate the hack: check unused useraccounts to make sure they are disabled, check for 'foreign processes' which listen to ports reachable from the outside or which contact external servers. Tighten your firewall, also in outgoing direction. Check for strange apt sources to make sure you won't install untrusted packages.

Good luck!

edited Jul 12 '15 at 15:33

HBruijn

72,524
21
127
192

answered Jul 12 '15 at 12:27

Chris

9
1

1

The ServerFault consensus is that once you have determined that you have a serious security breach (and a rogue SSH server is definitely a fully compromised system) there are no real mitigating measures. Definitely check the canonical answer http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server – HBruijn Jul 12 '15 at 15:38

ubuntu 10.10 sshd contains "YOU WANNA SMOKE A SPLIFF" and pot leaf ascii art. Does this mean I've been hacked?

2 Answers2