Educause Security Discussion mailing list archives
Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 25 Jan 2007 13:39:58 -0500
On Wed, 24 Jan 2007 16:42:36 EST, Warren Petrofsky said:
Our current working assumption is that there is an active compromise being spread via vulnerable Xserver installations on port 6000. After privilege escalation is achieved, keyloggers are being installed on the system in general, or all transmissions to the xsession are being logged.
mxconns is your (venerable, but still useful) friend: http://mxconns.web.cern.ch/mxconns/ Basically, the way it works is this: you launch mxconns on some port like 6005, and then when you launch an SSH that will forward X connections from the remote system back to you, you set it to point at that port rather than the real X server. So if anything on the remote box is trying to escape and tunnel back to contact your X server, it hits the mxconns proxy instead, which pops up a accept/deny dialog box before allowing the connection to proceed. The way I use it: Zeroeth: I start the X server with '-nolisten tcp', so only local clients can connect. First: in my .xsession file, I get mxconns launched. mxconns -verbose -fork -hunt >| ~/.mxconns Second: when I go to launch an SSH session, I run a script that does something like: displ=`cat ~/.mxconns` window=${displ:-$DISPLAY} /bin/sh -c "DISPLAY=$window exec ssh -X $target" So when the ssh tries to tunnel back, its connection gets to the mxconns process rather than the real X server, and if I get a pop-up requesting a connection that doesn't match a command I just entered, I know something is up. (Yes, this *can* still be beaten by a process that sits on the compromised remote system that waits for a process to start that connects back, and manages to win the race - but that requires the waiting process to notice that I've started a new process, and do its own 'XOpenDisplay()' call before mine does. Given that most X-based programs do that *very* early on, it's a pretty tight race to beat...)
Attachment:
_bin
Description:
Current thread:
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Roger Safian (Jan 24)
- <Possible follow-ups>
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Brian Smith-Sweeney (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers James J. Barlow (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Wes Young (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Warren Petrofsky (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Valdis Kletnieks (Jan 25)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Chris Edwards (Jan 26)