Hello, The SSH error is usually caused by the SSH server (your machine) being reformatted, or having SSH uninstalled and reinstalled, or have the public/private keys regenerated for some reason. have you recently made any changes to SSH, or reinstalled your system??
It could also happen if he has been making changes to his "~/.ssh/known_hosts" file. HTH... Richard. Quoting Ian Goodall <[EMAIL PROTECTED]>: > Thanks for your help Guys. > > It now says this: > > > wtmp begins Wed May 7 13:21:47 2003 > > I think that is what had happened. I am new to this and this just looked > dodgy to me! > > A friend also has ssh shell access to the box and got the following error > message when connecting to the same my box: > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > > Someone could be eavesdropping on you right now (man-in-the-middle attack)! > > It is also possible that the RSA host key has just been changed. > > The fingerprint for the RSA key sent by the remote host is > > 51:bd:cd:2e:6a:b7:35:b9:54:33:a8:e2:9a:57:95:0d. > > Please contact your system administrator. > > I don't get this from any other computers so is this just his computer? > > Thanks > > ----- Original Message ----- > From: "Eric LeBlanc" <[EMAIL PROTECTED]> > To: "Ian Goodall" <[EMAIL PROTECTED]> > Cc: <[email protected]> > Sent: Wednesday, May 07, 2003 3:23 PM > Subject: Re: Have I been hacked? > > > > > > Check if your program have rotated the logs... > > > > cd /var/log > > > > ls -l wtmp* > > > > and, check in /etc/cron* or do a crontab -l (in user root) > > > > > > E. > > -- > > Eric LeBlanc > > [EMAIL PROTECTED] > > -------------------------------------------------- > > UNIX is user friendly. > > It's just selective about who its friends are. > > ================================================== > > > > On Wed, 7 May 2003, Ian Goodall wrote: > > > > > I am running a debian woody server and when I checked the last users > > > yesterday I a large number of logins in the list. On running the command > > > today I get the following: > > > > > > dev1:/home/ian# last > > > ian pts/0 172.16.3.195 Wed May 7 14:49 still logged > in > > > team1 pts/0 blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35) > > > > > > I have run chkrootkit but nothing was found. > > > > > > I have never had this before. Am I being paranoid or is someone trying > to > > > cover up their tracks? > > > > > > Thanks > > > > > > ijg0 > > > > > > > > > > > > -- > > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- Richard Hobbs [EMAIL PROTECTED] http://mongeese.co.uk | http://unixforum.co.uk "There's only one way of life, and that's your own" - The Levellers _____________________________________________________ Send all your jokes to [EMAIL PROTECTED] !! To subscribe, email: [EMAIL PROTECTED]
