Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] compromised SuSE7.3?
Am 07.02.2002 13:54:15, schrieb Mark Ruth <Mark.Ruth@xxxxxxx>:

>> >my guesses:
>> >pam.d/sshd was changed when activating md5 passwords (>8 characters)
>> >ssh*_config were changed by myself
>> >ssh hmmm... as one can change file permissions (easy,local,secure), is
>> >it possible, that after an installation default permissions and groups
>> >are overriden by a script that sets the chosen values?
>>
>> My guesses for ssh - you installed an update with rpm -i instead of
>> of rpm -u or a script such as harden_suse changed attributes.
>>
>> By the way - its ssh not sshd. An attacker would exchange the daemon to
>> get in.
>are you sure?
>
>He would _probably_ exchange the daemon or install a second one
>listening on a different port. In that case sshd is untouched.
>Why not modifying ssh to log passwords?
>

Ack - according to the honeypot doc - the link was in the last mail -
you could examine ssh using 'strings ssh | less' 4 suspicous content
and sniff network traffic when using ssh (loginin time) using tcpdump.

Another fine idea could be to 'strace ssh' to seek a file that will contain
the sniffed passwords.

But, how i wrote, i script like harden_suse could change thoose attributes.

Michael Appeldorn






< Previous Next >
References