Educause Security Discussion mailing list archives
Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers
From: Warren Petrofsky <petrofsk () SAS UPENN EDU>
Date: Wed, 24 Jan 2007 19:58:24 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brian Smith-Sweeney wrote:
Hey Warren, We've seen the same thing recently and we're pretty sure this is a result of X11 sniffing. A number of folks have done good writeups on the subject, including: The ease of (ab)using X11: http://www.hackinglinuxexposed.com/articles/20040513.html http://www.hackinglinuxexposed.com/articles/20040608.html Other .EDUs guides (with much thanks to the respective authors): http://www.stanford.edu/group/security/securecomputing/x-window/index.html http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/#X11 http://www.biac.duke.edu/library/documentation/xwin32/Security.html
... Brian, thank you so much for this excellent response. I think you have hit the nail on the head, and the follow-ups from James Barlow at NCSA, and Wes Young at UBuffalo have added very valuable details as well. One thing that threw us, is that one user informed us that he only used the compromised passwords over ssh. I am guessing, now, that what happened was that the user established an ssh session with X11 forwarding, opened an xterm and then proceeded to open further ssh sessions from within the xterm, allowing the passwords to be captured with X11 sniffing as you suggested. Thanks again, - -- Warren Petrofsky petrofsk () sas upenn edu Information Security Specialist SAS Computing - University of Pennsylvania 215-573-0999 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFuACw3SthtV8kjpARAtLXAJ9Y/MbtMQgKPQR5baQt79d5XggE8gCfdxP/ wr/COchraXcGcyPGr6bk/Hc= =aM/V -----END PGP SIGNATURE-----
Current thread:
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Roger Safian (Jan 24)
- <Possible follow-ups>
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Brian Smith-Sweeney (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers James J. Barlow (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Wes Young (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Warren Petrofsky (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Valdis Kletnieks (Jan 25)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Chris Edwards (Jan 26)