Current time: 04-16-2014, 03:29 AM Hello There, Guest! (LoginRegister)

Post Reply 
DNS spoofing?
03-07-2012, 05:41 PM
Post: #1
DNS spoofing?
I've had several DH sites hacked and have been cleaning up. When I try to get into most of them through the terminal command or through SFTP, I get the message below. I can FTP in, which is what I've had to do to clean up the sites, but that's not safe in itself. The first response I got from DH didn't answer the question, but did tell me I'd been hacked (which I already knew, but they did provide more info than I had); the 2nd response just apologized for taking so long. Any ideas about what I can do to get terminal and SFTP ability back?


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for teryg.net has changed,
and the key for the corresponding IP address 208.113.201.133
is unchanged. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
Offending key for IP in /Users/terygriffin/.ssh/known_hosts:8
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
0e:c2:f6:f4Big Grin9:86:9d:4b:c4:3d:77:e7:a4:bb:59:14.
Please contact your system administrator.
Add correct host key in /Users/terygriffin/.ssh/known_hosts to get rid of this message.
Offending key in /Users/terygriffin/.ssh/known_hosts:1
RSA host key for teryg.net has changed and you have requested strict checking.
Host key verification failed.
Find all posts by this user
Quote this message in a reply
03-07-2012, 06:04 PM
Post: #2
RE: DNS spoofing?
In this case, it probably just means your site's been moved to a different server since the last time you SSHed into it. SSH kind of freaks out when this happens, since it can't tell the difference between that and someone trying to trick you into connecting to the wrong server.

You can either remove the appropriate line from .ssh/known_hosts, or just remove the whole file, if that's easier*.

*: To the nitpickers: Yes, this will remove known_hosts entries for other servers as well. This is a slightly unsafe shortcut, but it will be fine in most cases, especially if you're only using SSH to connect to DreamHost anyway.
Find all posts by this user
Quote this message in a reply
03-08-2012, 12:37 PM
Post: #3
RE: DNS spoofing?
Thanks, andrewf. I removed the offending line and am now able to use SFTP.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump: