Security Incidents mailing list archives

Re: RedHat compromise

From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Tue, 20 Feb 2001 13:36:05 -0500

On Tue, 20 Feb 2001, Johan.Augustsson wrote:

Telnet!? Are you out of your mind? The intruder might use the cracked
box as a sniffer and then you try to telnet to it? Use SSH and do not
use telnet for any other systems in the same physical network as the
cracked computer.


one overlooked possibility is that if they have root on the box you're on
already, they can easily intercept system calls and reassemble your ssh
stream. in fact, a tool exists to do this: sshsniff. all you need is one
side of the connection, and attach yourself to the process.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

Current thread:

RedHat compromise Jim Roland (Feb 19)
- Re: RedHat compromise Michael H. Warfield (Feb 19)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
  - Re: RedHat compromise Jim Roland (Feb 20)
  - Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
  - Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
  - Re: RedHat compromise Jim Roland (Feb 24)
- <Possible follow-ups>
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
  - Re: RedHat compromise Andreas Östling (Feb 20)
    - Re: RedHat compromise Jim Roland (Feb 20)
    - Re: RedHat compromise Jim Roland (Feb 21)
    - Re: RedHat compromise Daniel Martin (Feb 21)

(Thread continues...)