l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2002 Jun 11 19:25

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [ILUG] Possible hack?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ILUG] Possible hack?

  • To: ilug@linuMAPSx.ie
  • Subject: Re: [ILUG] Possible hack?
  • Date: Tue, 28 May 2002 08:48:53 -0700

Quoting Barry O'Donovan (barry.odonovan@ucd.ie):

> Included in this are all instances of USER and PASS sent over the 
> network. (b@st@rd!)
> My system is RH 7.2 with ALL UPDATES installed via up2date. Not sure 
> how he got in yet. The box is behind the UCD firewall with only ssh, 
> http, ftp (although no ftpd running) ports open (at least to my 
> immediate knowledge). 

So, there's a common fallacy in the *ix world that all you have to do,
in order to keep the blighters out, is keep your system's software
current and thus (with luck) eliminate vulnerabilities before they can
be exploited.  (I used to think that, too.)  But the preceding two
paragraphs, considered together, indicate a way things can and do happen

Let's say you operate an *ix box and have a limited number of
justifiably trusted people as shell users.  (Maybe you're being
extravagantly paranoid, and are the _only_ shell user.)  You carry out
all the recommended careful administrative practices, including running
and heeding Tripwire (and you indeed deserve congratulations for having
done so, by the way!).  The only tool you ever use, or think of using,
for remote shell access is ssh.  You don't run non-anonymous ftp.  You
don't offer POP3.  Thus, no remote-shell passwords are exposed in

But you or some other user sshes in.  Inevitably, this include ssh'ing
in from boxes not under your administrative control.  Let us say that
one such user sshes in from a security-compromised host.  The intruder
who controls that host has, among his security-subverting measures,
installed a cracked ssh client that logs (and conveys to him) all
security tokens used by outgoing ssh sessions -- such as your user's 
login password.  The intruder now has the means to enter your system in
the guise of your user.

Once at the shell prompt of your system, his first priority is to crack
root access.  Fortunately for him, it's far, far easier to do so at the
system's command prompt than from a remote location, because he can
attack any privileged process, instead of just running network daemons
exposed to remote access.  (Moen's First Law of Security:  It's easier
to break in from the inside.)  Most *ix systems have _lots_ of such
targets installed -- and the intruder need succeed in buffer-overflowing
(etc.) only one.  Now, he sets up a "rootkit" to hide his presence from
sysadmin scrutiny, building or retrieving things like the trojaned "ps" 
binary that won't show his running processes.  Last, he sets up
additional security-subverting mechanisms such as a trojaned ssh client.
Which will allow him to collect security tokens for _additional_
systems, allowing the game to perpetuate itself.

> Most likely I'll do a complete reinstall of RH 7.3. (once I find the
> vulnerbility).

I hope the above is some help, in explaining why there need not have
been a "vulnerability" in the sense you contemplate.

By the way, I hope your first step was to secure backup copies of all 
files you care about.  That should be immediately followed by putting
the intruder out of business, in my view.

Cheers,   The difference between common sense and paranoia is that common sense
Rick Moen     is thinking everyone is out to get you.  That's normal; they are.
rick@linuxmafia.com      Paranoia is thinking they're conspiring.  -- J. Kegler

vox mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.