Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers

[Warren Petrofsky <petrofsk () SAS UPENN EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Smith-Sweeney wrote:
> Hey Warren,
>
> We've seen the same thing recently and we're pretty sure this is a
> result of X11 sniffing.  A number of folks have done good writeups on
> the subject, including:
>
> The ease of (ab)using X11:
> http://www.hackinglinuxexposed.com/articles/20040513.html
> http://www.hackinglinuxexposed.com/articles/20040608.html
>
> Other .EDUs guides (with much thanks to the respective authors):
> http://www.stanford.edu/group/security/securecomputing/x-window/index.html
> http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/#X11
> http://www.biac.duke.edu/library/documentation/xwin32/Security.html
...

Brian, thank you so much for this excellent response.  I think you have
hit the nail on the head, and the follow-ups from James Barlow at NCSA,
and Wes Young at UBuffalo have added very valuable details as well.

One thing that threw us, is that one user informed us that he only used
the compromised passwords over ssh.  I am guessing, now, that what
happened was that the user established an ssh session with X11
forwarding, opened an xterm and then proceeded to open further ssh
sessions from within the xterm, allowing the passwords to be captured
with X11 sniffing as you suggested.

Thanks again,

- --
Warren Petrofsky
petrofsk () sas upenn edu
Information Security Specialist
SAS Computing - University of Pennsylvania
215-573-0999
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFuACw3SthtV8kjpARAtLXAJ9Y/MbtMQgKPQR5baQt79d5XggE8gCfdxP/
wr/COchraXcGcyPGr6bk/Hc=
=aM/V
-----END PGP SIGNATURE-----