Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH1 CRC32 Compensation Attacks

From: Armando Ortiz <aortiz () onlinetraffic com>
Date: 10 Dec 2001 12:15:48 -0800
Upon further investigation of the compromise, I did discover another
nifty little thing:

This person, be it a root kit or an actual individual that did it, added
a password to our user "mail" account.

I'm guessing that in the event of a patch being applied to the server
where all trojans were removed, the user "mail" could login.

This was found in the /etc/shadow file.

The user "mail" should not have a password as far as I'm aware.

Regards.

On Sun, 2001-12-09 at 07:36, Armando B. Ortiz wrote:

The attacks apparently took down two of our servers in a 4-server
webfarm.  They apparently leave the typical root kits and
compromised/trojaned binaries.

Unfortunately, I can't recover the other boxes and have to rebuild
them.  The intruder left compromised files relating to the operation of
SSH as well as a trojaned SSH daemon.

=:(


-- 
-----------------------------------------------------------------
 From the Linux Box of Armando Ortiz
                       System Administrator
                       OnLineTraffic.com
 Email:  aortiz () onlinetraffic com
 Download my public key from:
  ftp://209.185.214.98/pub/pubkeys/aortiz () onlinetraffic com pub
   or retrieve it from
  http://www.keyserver.net as aortiz () onlinetraffic com
                             (Public Key expires 01/04/2002)
       All emails from me are signed by this public key.
-----------------------------------------------------------------

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: