Re: Advice Needed On Recent Rootings
On Wed, May 28, 2003 at 03:11:03PM +0000, Jason Lunz wrote:
> Maybe he didn't use the same method for all of them. With the tty
> sniffer, he could have sniffed passwords from the first box he cracked
> if he was lucky enough to catch an admin su'ing. Do the timestamps
> support that theory? (This is why ssh keys are good -- no secret of any
> kind ever exists on the server, so even if it's compromised the attacker
> can't sniff a password or secret key and use that to get into other
> machines).
That's occurred to me too. I think some password sniffing may be
involved.
Question: Can one use a key *AND* a password? That would make me
really happy. I just don't like getting ahold of a file or a password
being enough...
> Also, how many people ssh into these machines? He could have control of
> the desktop machine of someone who has user access, and then use local
> holes to gain root once logged in as that user.
Server machines, no real desktop users. One of these was a firewall
that pretty much only had SSH listening. *IF* it was hacked directly
(rather than being compromised with a sniff'd password), then we've got
something to target. The timestamps don't support much of anything,
since we don't really have many logs left (he's stupid, but not
st00p1d). Our logging infrastructure is . . . improving. Also, we're
implementing grsecurity. I've been very impressed so far (and suspect
2.0 will be even better when it's stable).
Jayson
Reply to: