[CLUE-Tech] Problem starting secure shell on boot

[Warren]

I have a box running RH6.2

It's patched now, but within a day of putting it on the 'net, it got
rooted and the attackers left their own sshd binaries and config files
behind.  Some of the files had been renamed and the immutable flag set,
but I'm pretty sure I've got *almost* all of them.

I have a System V-type startup script for secure shell,
/etc/rc.d/init.d/sshd , and the problem is that it fails to start on
boot. You can start it from console, though, after booting.

The following is an example from the messages file showing boot
messages:

 Aug 25 12:47:11 mail sshd: Starting sshd:
 Aug 25 12:47:11 mail sshd:
 Aug 25 12:47:11 mail rc: Starting sshd succeeded

Even though it's indicating a successful start-up, sshd is, in fact,
*not* starting.

The following shows the log after a console restart:

 Aug 25 18:41:13 mail sshd: sshd shutdown succeeded
 Aug 25 18:41:13 mail sshd: sshd startup succeeded

Is anybody familiar with this type of attack and can you recommend a
place to look?


-- 

 </W>

 http://guano.org/warren/pgp.txt