Re: doing an ssh into a compromised host

To: debian-security@lists.debian.org
Subject: Re: doing an ssh into a compromised host
From: Vassilii Khachaturov <vassilii@tarunz.org>
Date: Tue, 2 Nov 2004 10:43:07 +0200
Message-id: <200411021043.08119.vassilii@tarunz.org>
In-reply-to: <20041102093911.0843afc3.volker.tanger@detewe.de>
References: <Pine.LNX.4.44.0411020827540.3154-100000@stalker.iGuide.co.il> <20041102093911.0843afc3.volker.tanger@detewe.de>

> You could force the SSH client to *not* forward X11 with -x
> (the low-caps x char) regardless other client/server-side
> specifications. If you do not specify any other special
> forwarding (-L or -R) then there will be no forwarding.

Good, that was what I was hoping for. (Obviously, my 
default /etc/ssh/ssh_config doesn't turn on the fwding by default.)

Luckily, I am also not using any agent fwding as well.

The box is remote, and I'll only have console access in a couple of days.
Meanwhile, the only thing I have is looking at some offline backups and
working remotely in the (compromised) environment. Right now I'm looking at
the lsof output there, a curious entry from Apache shown by lsof: 

apache 3170     root  mem    DEL        0,5                   0 /SYSV0000000 

Does it ring the bell for anyone? (The box runs apache 1.3.26-0woody5).

chkrootkit (inside the compromised environment, so it is no big surprise) 
doesn't report anything.

V.

Reply to:

Follow-Ups:
- Re: doing an ssh into a compromised host
  - From: Vassilii Khachaturov <vassilii@tarunz.org>

References:
- doing an ssh into a compromised host
  - From: Vassilii Khachaturov <vassilii@tarunz.org>
- Re: doing an ssh into a compromised host
  - From: "Volker Tanger" <volker.tanger@detewe.de>

Prev by Date: Re: doing an ssh into a compromised host
Next by Date: Re: doing an ssh into a compromised host
Previous by thread: Re: doing an ssh into a compromised host
Next by thread: Re: doing an ssh into a compromised host
Index(es):
- Date
- Thread