Debian Investigation Report

Posted Dec 3, 2003 23:30 UTC (Wed) by utidjian (subscriber, #444) [Link]

I have, from the timeline in the article...

"Nov 19 17:00 Attacker logs into klecker with sniffed password
Nov 19 17:08 Root-kit installed on klecker
Nov 19 17:20 Attacker logs into master with same sniffed password
Nov 19 17:47 Root-kit installed on master
Nov 19 18:30 Attacker logs into murphy with service account from master
Nov 19 18:35 Root-kit installed on murphy"

OK... so far the attacker has gotten in with the "same sniffed password" and gone onto an additional machine (master)... rooted it and then moved on to murphy. So one "sniff" on one account yields three owned boxes.

There is no mention of how the fourth system, gluck, getting rooted in the timeline. However, further down in the text...

"On the next day the attacker used a password sniffed on master to log
into gluck, get root there and also install the SucKIT root-kit."

So now we have the second "sniffed" password.

There are no details about what the reporter means by "sniffed". To me a "sniffed password" is one that goes by in cleartext on the network and gets "sniffed". Others may have a different definition. To me a "logged" password is one that gets logged from keystrokes at the keyboard or from a custom sshd installed on one of the previously cracked machines. To me a "cracked" password is one that gets matched from an /etc/shadow file via brute force. Other peoples definitions may vary.

Other than the fact that these were machines were cracked.. we have the actual exploit that they used to elevate to root in detail and other bits and pieces they left lying around. I am also interested in exactly how all this "sniffing" occured.

-DU-...etc...