| |||||||||||||
|
| |||||||||||||
Debian Investigation ReportDebian Investigation ReportPosted Dec 2, 2003 16:35 UTC (Tue) by utidjian (subscriber, #444)Parent article: Debian Investigation Report There are multiple references to "sniffed passwords" in the report.... how so? keyloggers? something wrong with SSH? Or are Debian developers telnetting into the holiest of holies? -DU-...etc...
(Log in to post comments)
Debian Investigation Report Posted Dec 2, 2003 17:14 UTC (Tue) by maceto (guest, #16498) [Link] used a pass on a developers computer- for what I know he can be running win95 with putty, but interesting what you bring up here.Since ssh is secure- but I guess a keylogger get`s that to then.. Not a desktop security geek.
Debian Investigation Report Posted Dec 2, 2003 17:30 UTC (Tue) by utidjian (subscriber, #444) [Link] Again... in my reading of the chain of events... The attacker seems to be "sniffing" passwords across several machines... not just the first desktop.I use Putty all the time when I am stuck with a Windows box. It can do both ssh and telnet. Though I suppose it is MUCH simpler to get a keylogger installed on a Windows box. Perhaps this was an unsuspecting Debian contributor using a "friends" Windows box... who knows. I still find it awkward that so many passwords got "sniffed" in a row. -DU-...etc...
Debian Investigation Report Posted Dec 2, 2003 17:59 UTC (Tue) by piman (subscriber, #8957) [Link] Please read it again. Only one password was sniffed. Likely, a developer's home machine was compromised (probably with the same rootkit), and they logged into a Debian server.Once the attack had that password (or passphrase + private key, whatever), they can log into many Debian machines. From there, they used the brk vulnerability to get root, and then, install SuckIt.
Debian Investigation Report Posted Dec 3, 2003 23:30 UTC (Wed) by utidjian (subscriber, #444) [Link] > Please read it again.I have, from the timeline in the article... "Nov 19 17:00 Attacker logs into klecker with sniffed password OK... so far the attacker has gotten in with the "same sniffed password" and gone onto an additional machine (master)... rooted it and then moved on to murphy. So one "sniff" on one account yields three owned boxes. There is no mention of how the fourth system, gluck, getting rooted in the timeline. However, further down in the text... "On the next day the attacker used a password sniffed on master to log So now we have the second "sniffed" password. There are no details about what the reporter means by "sniffed". To me a "sniffed password" is one that goes by in cleartext on the network and gets "sniffed". Others may have a different definition. To me a "logged" password is one that gets logged from keystrokes at the keyboard or from a custom sshd installed on one of the previously cracked machines. To me a "cracked" password is one that gets matched from an /etc/shadow file via brute force. Other peoples definitions may vary. Other than the fact that these were machines were cracked.. we have the actual exploit that they used to elevate to root in detail and other bits and pieces they left lying around. I am also interested in exactly how all this "sniffing" occured. -DU-...etc...
Debian Investigation Report Posted Dec 2, 2003 17:29 UTC (Tue) by Ross (subscriber, #4065) [Link] Sometimes people ssh from one remote box to another. That's a bad ideabecause if the first box is compromized your password and other information can be sniffed in the second connection. Of course if the developer's workstation is compromized there is really no
Debian Investigation Report Posted Dec 2, 2003 17:46 UTC (Tue) by cdmiller (subscriber, #2813) [Link] You can put a keylogger in the kernel. Everything typed gets logged. Outgoing logins from an ssh connected individual are recorded.- cameron
Debian Investigation Report Posted Dec 2, 2003 22:01 UTC (Tue) by nix (subscriber, #2304) [Link] There is even code that does this in, for example, user-mode-linux.(Damned useful for firewall logs.)
Debian Investigation Report Posted Dec 2, 2003 23:23 UTC (Tue) by jonabbey (subscriber, #2736) [Link] Hm, do you have a URL that treats that subject?
|
|
||||||||||||