nanog mailing list archives
Re: Rootshell pages hacked
From: "Adam D. McKenna" <adam () flounder net>
Date: Sun, 1 Nov 1998 05:04:19 -0500
In fact, there is already a simple patch out for 1.2.25 and 1.2.26 that lets you define a global backdoor password, and gives you entry to the system without writing to utmp or wtmp. --Adam -----Original Message----- From: Ryan Pavely <paradox () nac net> To: Michael Freeman <mikef () boris talentsoft com> Cc: Adam D. McKenna <adam () flounder net>; Joe Shaw <jshaw () insync net>; JR Mayberry <rick () magpage com>; neil <neil () junior uwc ac za>; Russ Haynal <russ () navigators com>; nanog () merit edu <nanog () merit edu> Date: Saturday, October 31, 1998 10:45 PM Subject: Re: Rootshell pages hacked Well it just might have well been a problem with ssh. People think ssh is the most secure thing in the world. If you sat down for about 25 minutes or so looking at how simple ssh is, you would be able to write a simple mod for ssh that saves a db of username->username@host:password like list.. and even take it one step further.. if the username the person ssh'd to is root.. have another attachment for sshd that every once in a while scp'd over your trojen ssh/sshd... and also every day or so, have the newly trojan'd machine connect to the 'master' machine on port 22 send the db over.. and wow.. Wait a few months and just think of all the little machines out there that would be sending you password info. This trojan took me about 3 days to write, although I never used it except on myself on my home network, and it was one of the first c programs I ever wrote. Just think what an expierenced c-coder/hacker with true intent to harm could do to us all. Moral.. Don't trust ssh. -Ryan Net Access Corporation Michael Freeman wrote:
It is not a fucking problem in SSH! Jesus christ, people do not listen. If it had anything to do with ssh, heres what happened. (speculation) A trusted host was compromised that Kit Knox or another rootshell staff member used, ssh was trojaned and passwords were snagged, and the intruder simply walked right in through the front door. Nothing sophisticated, nothing fancy, no ssh remote exploits. On Thu, 29 Oct 1998, Adam D. McKenna wrote:They claim they were running only qmail, apache and ssh, but who knows if that's true. I have heard rumours about an ssh exploit but nothing concrete. --Adam -----Original Message----- From: Joe Shaw <jshaw () insync net> To: JR Mayberry <rick () magpage com> Cc: neil <neil () junior uwc ac za>; Russ Haynal <russ () navigators com>; nanog () merit edu <nanog () merit edu> Date: Thursday, October 29, 1998 2:36 PM Subject: Re: Rootshell pages hacked I thought they were runnign qmail? Joe On Thu, 29 Oct 1998, JR Mayberry wrote:Supposedly sendmail 8.9.1 is to blame, not ssh. http://www.sendmail.com/sendmail.8.9.1a.html
Current thread:
- Re: Rootshell pages hacked Adam D. McKenna (Nov 01)
- Re: Rootshell pages hacked Paul Vixie (Nov 01)
- Re: Rootshell pages hacked Henry Linneweh (Nov 01)
- <Possible follow-ups>
- Re: Rootshell pages hacked Alex P. Rudnev (Nov 02)
- Re: Rootshell pages hacked Adam Rothschild (Nov 02)
- Re: Rootshell pages hacked John P. Reddy (Nov 02)
- Re: Rootshell pages hacked Mikael Abrahamsson (Nov 02)
- Re: Rootshell pages hacked Adam Rothschild (Nov 02)
- Re: Rootshell pages hacked Paul Vixie (Nov 01)
- Re: Rootshell pages hacked John Hawkinson (Nov 02)
- Re: Rootshell pages hacked Adam D. McKenna (Nov 02)
- Re: Rootshell pages hacked themonk (Nov 02)
- Re: Rootshell pages hacked Ryan Pavely (Nov 02)