Educause Security Discussion mailing list archives

Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Thu, 25 Jan 2007 13:39:58 -0500

On Wed, 24 Jan 2007 16:42:36 EST, Warren Petrofsky said:

Our current working assumption is that there is an active compromise
being spread via vulnerable Xserver installations on port 6000.  After
privilege escalation is achieved, keyloggers are being installed on the
system in general, or all transmissions to the xsession are being logged.


mxconns is your (venerable, but still useful) friend:

http://mxconns.web.cern.ch/mxconns/

Basically, the way it works is this:  you launch mxconns on some port like 6005,
and then when you launch an SSH that will forward X connections from the remote
system back to you, you set it to point at that port rather than the real
X server.  So if anything on the remote box is trying to escape and tunnel
back to contact your X server, it hits the mxconns proxy instead, which
pops up a accept/deny dialog box before allowing the connection to proceed.

The way I use it:

Zeroeth: I start the X server with '-nolisten tcp', so only local clients
can connect.

First: in my .xsession file, I get mxconns launched.

mxconns -verbose -fork -hunt >| ~/.mxconns

Second: when I go to launch an SSH session, I run a script that does something like:

displ=`cat ~/.mxconns`
window=${displ:-$DISPLAY}
/bin/sh -c "DISPLAY=$window exec ssh -X $target"

So when the ssh tries to tunnel back, its connection gets to the mxconns
process rather than the real X server, and if I get a pop-up requesting a
connection that doesn't match a command I just entered, I know something is
up.

(Yes, this *can* still be beaten by a process that sits on the compromised
remote system that waits for a process to start that connects back, and manages
to win the race - but that requires the waiting process to notice that I've
started a new process, and do its own 'XOpenDisplay()' call before mine does.
Given that most X-based programs do that *very* early on, it's a pretty tight
race to beat...)

Attachment: _bin
Description:

Current thread:

Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Roger Safian (Jan 24)
- <Possible follow-ups>
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Brian Smith-Sweeney (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers James J. Barlow (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Wes Young (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Warren Petrofsky (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Valdis Kletnieks (Jan 25)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Chris Edwards (Jan 26)