3

i cannot connect to my server via ssh, it throws me a "server unexpectedly closed connection" after entering the password.

in var/log/messages the only noteable message is:

Apr 14 17:41:23 s15410270 kernel: sshd[3602]: segfault at c0 ip 7f0801acbdb0 sp 7fff0adff860 error 4 in libc-2.8.so[7f0801a87000+14f000]
Apr 14 17:41:29 s15410270 kernel: sshd[3606]: segfault at c0 ip 7f75f9463db0 sp 7fff027971f0 error 4 in libc-2.8.so[7f75f941f000+14f000]

This message appears after a log in attempt via ssh or via sftp

Its a SuSE Linux server. I'm looking for help where to start to search for the error, i can still act as root via a serial console.

edit: "server unexpectedly closed connection" only appears if i enter the correct password!

trampi
  • 155
  • 1
  • 2
  • 7

1 Answers1

2

Check to make sure you weren't compromised. Run an rpm verify on your ssh daemon... You may also want to get a tool like chkrootkit installed and running.

rpm -vV openssh | grep 'S\.5' should work for SuSE. Post the output.

Also see the details posted in: sshd running but no PID file

Community
  • 1
ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • 1
    Thanks! S.5..... c /etc/ssh/ssh_config S.5..... c /etc/ssh/sshd_config S.5....T /usr/bin/ssh S.5....T /usr/sbin/sshd I'll install chkrootkit, rkhunter did run the last on 09'th april and found nothing. – trampi Apr 14 '12 at 16:48
  • 1
    Your ssh and sshd binaries have been modified. The system has probably been compromised. You can download the `openssh` rpm for your system and force reinstall it by hand (`rpm -ivh --force openssh*rpm`) to get past the initial issue, but you will need to determine the extent of the damage. – ewwhite Apr 14 '12 at 16:53
  • Alright, i'll tell it the guy who is responsible for the servers. Thanks! – trampi Apr 14 '12 at 17:00