[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: being hacked via ssh with X11 forwarding?

were you ssh'd into shell.schwa.net when that message showed up?  if you
were it was your machine that was connected to the remote X server not the
other way around.

if you are using ssh 1 i suggest using the argument -v to give verbose
information when connecting to a machine(i use ssh -l <username> -v -C
<hostname>)

nate

On Tue, 11 Jan 2000 debuser@platinum.globalmart.com wrote:

debuse >Well, I've talked to the guy that owns that machine, and he assured me
debuse >that he wasn't hacking me, and I believe him.  But now the question
debuse >remains, what caused this message?  Any possible explanations out there?
debuse >
debuse >Thanks,
debuse >
debuse >Gerry
debuse >
debuse >PS: I'm paranoid about being hacked since another machine on our network
debuse >was hacked via a smail vulnerability.
debuse >
debuse >On Fri, 7 Jan 2000, aphro wrote:
debuse >
debuse >> ssh automatically tries to connect to a remote X server when a conneciton
debuse >> is established, to disable this behavior(for good) recompile ssh with the
debuse >> configure flag --without-x to make sure nobody can connect to your X
debuse >> server or use your ssh client to connect to a remote X server.
debuse >> 
debuse >> dont think anyone can 'hack' your X unless they already had an account on
debuse >> your machine.
debuse >> 
debuse >> nate
debuse >> 
debuse >> On Thu, 6 Jan 2000 debuser@platinum.globalmart.com wrote:
debuse >> 
debuse >> debuse >>From my Linux box at work, I was using ssh to connect to my personal ISP.
debuse >> debuse >I had X11 forwarding turned on.  When I went to log out I got this
debuse >> debuse >message: 
debuse >> debuse >
debuse >> debuse >Waiting for forwarded connections to terminate...
debuse >> debuse >The following connections are open:
debuse >> debuse >  X11 connection from shell.schwa.net port 1087
debuse >> debuse >
debuse >> debuse >Is someone from that machine hacking me?  If so, how would he do this? If
debuse >> debuse >not, what does it mean?  I see there is a user logged onto my ISP from
debuse >> debuse >that machine.  What logs should I be looking at for information?
debuse >> debuse >
debuse >> debuse >Thanks,
debuse >> debuse >
debuse >> debuse >Gerry
debuse >> debuse >
debuse >> debuse >
debuse >> debuse >-- 
debuse >> debuse >Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
debuse >> debuse >
debuse >> 
debuse >> ----------------------------------------[mailto:aphro@aphroland.org ]--
debuse >>    Vice President Network Operations       http://www.firetrail.com/
debuse >>   Firetrail Internet Services Limited      http://www.aphroland.org/
debuse >>        Everett, WA 425-348-7336            http://www.linuxpowered.net/
debuse >>             Powered By:                    http://comedy.aphroland.org/
debuse >>     Debian 2.1 Linux 2.0.36 SMP            http://yahoo.aphroland.org/
debuse >> -----------------------------------------[mailto:aphro@netquest.net ]--
debuse >> 12:30am up 140 days, 12:27, 2 users, load average: 1.99, 1.67, 1.57
debuse >> 
debuse >> 
debuse >> -- 
debuse >> Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
debuse >> 
debuse >
debuse >
debuse >-- 
debuse >Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null
debuse >

----------------------------------------[mailto:aphro@aphroland.org ]--
   Vice President Network Operations       http://www.firetrail.com/
  Firetrail Internet Services Limited      http://www.aphroland.org/
       Everett, WA 425-348-7336            http://www.linuxpowered.net/
            Powered By:                    http://comedy.aphroland.org/
    Debian 2.1 Linux 2.0.36 SMP            http://yahoo.aphroland.org/
-----------------------------------------[mailto:aphro@netquest.net ]--
9:39pm up 145 days, 9:39, 2 users, load average: 0.56, 0.44, 0.38
Reply to: