LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Debian Investigation Report

Debian Investigation Report

Posted Dec 2, 2003 17:30 UTC (Tue) by utidjian (subscriber, #444)
In reply to: Debian Investigation Report by maceto
Parent article: Debian Investigation Report

Again... in my reading of the chain of events... The attacker seems to be "sniffing" passwords across several machines... not just the first desktop.

I use Putty all the time when I am stuck with a Windows box. It can do both ssh and telnet. Though I suppose it is MUCH simpler to get a keylogger installed on a Windows box. Perhaps this was an unsuspecting Debian contributor using a "friends" Windows box... who knows.

I still find it awkward that so many passwords got "sniffed" in a row.

-DU-...etc...

(Log in to post comments)

Debian Investigation Report

Posted Dec 2, 2003 17:59 UTC (Tue) by piman (subscriber, #8957) [Link]

Please read it again. Only one password was sniffed. Likely, a developer's home machine was compromised (probably with the same rootkit), and they logged into a Debian server.

Once the attack had that password (or passphrase + private key, whatever), they can log into many Debian machines. From there, they used the brk vulnerability to get root, and then, install SuckIt.

Debian Investigation Report

Posted Dec 3, 2003 23:30 UTC (Wed) by utidjian (subscriber, #444) [Link]

> Please read it again.

I have, from the timeline in the article...

"Nov 19 17:00 Attacker logs into klecker with sniffed password
Nov 19 17:08 Root-kit installed on klecker
Nov 19 17:20 Attacker logs into master with same sniffed password
Nov 19 17:47 Root-kit installed on master
Nov 19 18:30 Attacker logs into murphy with service account from master
Nov 19 18:35 Root-kit installed on murphy"

OK... so far the attacker has gotten in with the "same sniffed password" and gone onto an additional machine (master)... rooted it and then moved on to murphy. So one "sniff" on one account yields three owned boxes.

There is no mention of how the fourth system, gluck, getting rooted in the timeline. However, further down in the text...

"On the next day the attacker used a password sniffed on master to log
into gluck, get root there and also install the SucKIT root-kit."

So now we have the second "sniffed" password.

There are no details about what the reporter means by "sniffed". To me a "sniffed password" is one that goes by in cleartext on the network and gets "sniffed". Others may have a different definition. To me a "logged" password is one that gets logged from keystrokes at the keyboard or from a custom sshd installed on one of the previously cracked machines. To me a "cracked" password is one that gets matched from an /etc/shadow file via brute force. Other peoples definitions may vary.

Other than the fact that these were machines were cracked.. we have the actual exploit that they used to elevate to root in detail and other bits and pieces they left lying around. I am also interested in exactly how all this "sniffing" occured.

-DU-...etc...

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds