| |||||||||||||
|
| |||||||||||||
Debian Investigation ReportDebian Investigation ReportPosted Dec 3, 2003 23:30 UTC (Wed) by utidjian (subscriber, #444)In reply to: Debian Investigation Report by piman Parent article: Debian Investigation Report > Please read it again. I have, from the timeline in the article... "Nov 19 17:00 Attacker logs into klecker with sniffed password OK... so far the attacker has gotten in with the "same sniffed password" and gone onto an additional machine (master)... rooted it and then moved on to murphy. So one "sniff" on one account yields three owned boxes. There is no mention of how the fourth system, gluck, getting rooted in the timeline. However, further down in the text... "On the next day the attacker used a password sniffed on master to log So now we have the second "sniffed" password. There are no details about what the reporter means by "sniffed". To me a "sniffed password" is one that goes by in cleartext on the network and gets "sniffed". Others may have a different definition. To me a "logged" password is one that gets logged from keystrokes at the keyboard or from a custom sshd installed on one of the previously cracked machines. To me a "cracked" password is one that gets matched from an /etc/shadow file via brute force. Other peoples definitions may vary. Other than the fact that these were machines were cracked.. we have the actual exploit that they used to elevate to root in detail and other bits and pieces they left lying around. I am also interested in exactly how all this "sniffing" occured. -DU-...etc...
(Log in to post comments)
|
|
||||||||||||