Re: /dev/shm/r?

To: debian-security@lists.debian.org
Subject: Re: /dev/shm/r?
From: Johann Spies <jspies@sun.ac.za>
Date: Tue, 2 Jun 2009 17:56:19 +0200
Message-id: <[🔎] 20090602155619.GE24090@sun.ac.za>
Mail-followup-to: Johann Spies <jspies@sun.ac.za>, debian-security@lists.debian.org
In-reply-to: <[🔎] 20090601112327.GB3797@osgiliath.mathom.us>
References: <[🔎] 20090601084652.GA22462@sun.ac.za> <[🔎] 20090601112327.GB3797@osgiliath.mathom.us>

On Mon, Jun 01, 2009 at 07:23:27AM -0400, Michael Stone wrote:

> Yes, that's a typical location for intruders to drop files. Easiest  
> thing to do is reinstall after thinking about how the compromise may  
> have occurred. (Did you update regularly, including kernel updates? Did  
> all accounts have strong passwords? Do you have web applications not  
> managed by the system that weren't being updated? etc.)

We had a serious situation on this computer and several others. Ssh
and sshd were replaced by the cracker's own version and in once case
nearly all the pam-related stuff were replaced also.  Through this
customised versions of ssh the cracker harvested every password that
was used during ssh logins and ssh sessions.

We are winning the battle and will in the next few weeks try do the
analysis of what went wrong.

Regards
Johann
-- 
Johann Spies          Telefoon: 021-808 4599
Informasietegnologie, Universiteit van Stellenbosch

     "Thou wilt show me the path of life: in thy presence 
      is fulness of joy; at thy right hand there are  
      pleasures for evermore."         Psalms 16:11

Reply to:

Follow-Ups:
- Re: /dev/shm/r?
  - From: Guntram Trebs <gt@trebs.net>

References:
- /dev/shm/r?
  - From: Johann Spies <jspies@sun.ac.za>
- Re: /dev/shm/r?
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: /dev/shm/r?
Next by Date: Re: /dev/shm/r?
Previous by thread: Re: /dev/shm/r?
Next by thread: Re: /dev/shm/r?
Index(es):
- Date
- Thread