Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] compromised SuSE7.3?
  • From: Torsten Wolf <t.wolf@xxxxxxxx>
  • Date: Thu, 7 Feb 2002 16:14:18 +0100
  • Message-id: <200202071514.QAA22645@xxxxxxxxxxxxxxxxxxx>
Michael Appeldorn schrieb am Donnerstag, 7. Februar 2002 13:35:

> So what ? You wrote your system crashed - the logfile was not closed
> properly.

The system crashed when I tried to open an xterm but not an hour ago.
I'm running ext3 and imho if there were messages they should have found
their way onto the hd, shouldn't they?

> ACK - thatswhy you should mask your ip even when you post logs into a
> list ^^^^^^^^^^^^^^^^^^^^^^^

Well that was really a bad idea, but as long as the name of my computer
is listed in the news header (nntp-posting-host) people will have an
address to connect to. So should I manipulate my header so that it will
show something else?

> >After that I changed the "Protocol" in sshd_config to 2 (was 2,1
> >before), even though it is said here, that this ssh-version is as
>
> Too late !

So all comments about how secure openssh2.9.9p2-74 is are nonsense?

> My guesses for ssh - you installed an update with rpm -i instead of
> of rpm -u or a script such as harden_suse changed attributes.

I used YOU to get the most (what SuSE calls it) up-to-date packages.
Whenever I update an rpm-package manually, I use the -u option.
Hopefully, YOU does the same...

> By the way - its ssh not sshd. An attacker would exchange the daemon
> to get in.

Yes, that's clear. I first checked openssh.rpm as the sshd is part of
this package.

> If you think its not only paranoia thank check this url 4 forensic
> analysis.

Is it a question of paranoia? Are there no ways to ensure that the
system is clean while keeping it alive? In evidence.txt they checked
the md5sums of the installed packages. Which database do they use as
reference? When I check all binaries as recently described, there is
still the possibility, that the rpm-database is corrupted itself, isn't
it? Or is the result, that the md5sums of all the binaries were ok
sufficient to declare this system being clean?

Greetings
Torsten

< Previous Next >
Follow Ups
References