Re: doing an ssh into a compromised host
> You could force the SSH client to *not* forward X11 with -x
> (the low-caps x char) regardless other client/server-side
> specifications. If you do not specify any other special
> forwarding (-L or -R) then there will be no forwarding.
Good, that was what I was hoping for. (Obviously, my
default /etc/ssh/ssh_config doesn't turn on the fwding by default.)
Luckily, I am also not using any agent fwding as well.
The box is remote, and I'll only have console access in a couple of days.
Meanwhile, the only thing I have is looking at some offline backups and
working remotely in the (compromised) environment. Right now I'm looking at
the lsof output there, a curious entry from Apache shown by lsof:
apache 3170 root mem DEL 0,5 0 /SYSV0000000
Does it ring the bell for anyone? (The box runs apache 1.3.26-0woody5).
chkrootkit (inside the compromised environment, so it is no big surprise)
doesn't report anything.
V.
Reply to: