# hacked ssh binary

## spymac

Hi, i found in Gentoo server hacked openssh binaries, my question is whether following commands are 100% safe, the system that need repair is a remote server. I'm not a Gentoo user and I have only little experience on it.

  # emerge --sync

  # emerge portage

  # emerge --ask --oneshot --verbose ">=net-misc/openssh-7.1_p2"

current openssh version is OpenSSH_5.9p1-hpn13v11, OpenSSL 1.0.1g 7 Apr 2014

thank you very much

----------

## Buffoon

There is no repair, reinstall only. Nothing can be trusted in a compromised system.

----------

## spymac

This is only temporaly solution for one month, the server will be replaced with a new one. Please help.

----------

## Buffoon

In my book leaving "owned" box online is not a solution, temporary or not. Sorry.

----------

## frostschutz

If you don't even know how to `emerge openssh`, how can you tell that the binaries are hacked in the first place.  :Question: 

----------

## spymac

I'm not a Gentoo user, so I do not know update/upgrade commands or Gentoo behavior before/after update . I always use Debian. The binaries have changed date, the date is the same as hacked files in /var/www folder. My question is whether it is safe to upgrade openssh, is the only one access to the remote server.

----------

## Buffoon

As you do not drive a car without steering and brakes as a temporary solution, you do not leave a compromised box online. This is irresponsible.

----------

## spymac

Thanks for nothing ... Now I know that Gentoo it is useless and vulnerable system without somewhere to get advice or support.

----------

## khayyam

 *spymac wrote:*   

> Thanks for nothing ... Now I know that Gentoo it is useless and vulnerable system without somewhere to get advice or support.

 

spymac ... no, 1). you did get "advice and support", the machine is compromised and the only advice someone can give you in such as case is to take the machine offline, that is a standard security practice 2). if the machine was compromised via httpd then this has nothing to do with gentoo per se, the blame lies entirely with whomever is maintaining the machine ... so, how the install/httpd/etc was maintained/configured, the code run by httpd, etc, etc. You seem to think not only should we provide bad advice, but that we are responcible for whatever happens on the machine you're maintaining ... you are wrong on both counts.

best ... khay

----------

## NeddySeagoon

spymac,

You don't have a month.  You have no idea what other back doors are on that box.  In security, there are no temporary solutions.

Upgrading sshd won't fix it as you have already said that wasn't the way the box was compromised.

Take the box offline and restore it from some known good backups. Then fix the source of the exploit, then put it back online.

You do have backups, don't you?

----------

## Ant P.

 *spymac wrote:*   

> The binaries have changed date, the date is the same as hacked files in /var/www folder.

 

Running web-facing software with root privileges? Then sorry, the distro is immaterial here. Whoever is supposed to be responsible for that machine is in fact an irresponsible moron, and it shouldn't be online at all. Who knows what else they screwed up? Maybe they put the backdoor there?

----------

