Re: Advice Needed On Recent Rootings

To: debian-security@lists.debian.org
Subject: Re: Advice Needed On Recent Rootings
From: Jason Lunz <lunz@falooley.org>
Date: Wed, 28 May 2003 15:11:03 +0000 (UTC)
Message-id: <slrnbd9kg6.7mr.lunz@stoli.localnet>
References: <20030525180430.GB32546@yagami.infodump.net> <20030525182528.GE3395@keimel.com> <20030528045821.GA7093@yagami.infodump.net>

kagato@souja.net said:
> of them.  It's not a password problem either.  He seems to have hacked
> multiple of them within an hour of each other (his rootkit files
> aren't very clever about covering up mtime).  I just can't tell how he
> got in.

Maybe he didn't use the same method for all of them. With the tty
sniffer, he could have sniffed passwords from the first box he cracked
if he was lucky enough to catch an admin su'ing. Do the timestamps
support that theory? (This is why ssh keys are good -- no secret of any
kind ever exists on the server, so even if it's compromised the attacker
can't sniff a password or secret key and use that to get into other
machines).

Also, how many people ssh into these machines? He could have control of
the desktop machine of someone who has user access, and then use local
holes to gain root once logged in as that user.

Jason

Reply to:

Follow-Ups:
- Re: Advice Needed On Recent Rootings
  - From: Jayson Vantuyl <kagato@souja.net>

References:
- Advice Needed On Recent Rootings
  - From: Jayson Vantuyl <kagato@souja.net>
- Re: Advice Needed On Recent Rootings
  - From: Jayson Vantuyl <kagato@souja.net>

Prev by Date: Re: VPN gateway
Next by Date: Jetzt im neuen Outfit...
Previous by thread: Re: Advice Needed On Recent Rootings
Next by thread: Re: Advice Needed On Recent Rootings
Index(es):
- Date
- Thread