Re: Rootshell pages hacked
They claim they were running only qmail, apache and ssh, but who knows if that's true. I have heard rumours about an ssh exploit but nothing concrete. --Adam -----Original Message----- From: Joe Shaw <jshaw@insync.net> To: JR Mayberry <rick@magpage.com> Cc: neil <neil@junior.uwc.ac.za>; Russ Haynal <russ@navigators.com>; nanog@merit.edu <nanog@merit.edu> Date: Thursday, October 29, 1998 2:36 PM Subject: Re: Rootshell pages hacked I thought they were runnign qmail? Joe On Thu, 29 Oct 1998, JR Mayberry wrote:
Supposedly sendmail 8.9.1 is to blame, not ssh. http://www.sendmail.com/sendmail.8.9.1a.html
In message <04c601be0373$c0dc2d90$e50984a9@flounder.telecom.idt.net>, "Adam D. McKenna" writes:
They claim they were running only qmail, apache and ssh, but who knows if that's true.
I have heard rumours about an ssh exploit but nothing concrete.
I know of some interesting sites that were hacked into "using ssh" recently. The trick is to attack the SSH *client* machine, and them take advantage of things like a running ssh-agent and existing authorized_keys files to connect to the server host using the existing (valid) trust relationship. This isn't an SSH bug, merely a standard side effect of distributed trust. -- C. Harald Koch <chk@utcc.utoronto.ca> "It takes a child to raze a village." -Michael T. Fry
It is not a fucking problem in SSH! Jesus christ, people do not listen. If it had anything to do with ssh, heres what happened. (speculation) A trusted host was compromised that Kit Knox or another rootshell staff member used, ssh was trojaned and passwords were snagged, and the intruder simply walked right in through the front door. Nothing sophisticated, nothing fancy, no ssh remote exploits. On Thu, 29 Oct 1998, Adam D. McKenna wrote:
They claim they were running only qmail, apache and ssh, but who knows if that's true.
I have heard rumours about an ssh exploit but nothing concrete.
--Adam
-----Original Message----- From: Joe Shaw <jshaw@insync.net> To: JR Mayberry <rick@magpage.com> Cc: neil <neil@junior.uwc.ac.za>; Russ Haynal <russ@navigators.com>; nanog@merit.edu <nanog@merit.edu> Date: Thursday, October 29, 1998 2:36 PM Subject: Re: Rootshell pages hacked
I thought they were runnign qmail?
Joe
On Thu, 29 Oct 1998, JR Mayberry wrote:
Supposedly sendmail 8.9.1 is to blame, not ssh. http://www.sendmail.com/sendmail.8.9.1a.html
Well it just might have well been a problem with ssh. People think ssh is the most secure thing in the world. If you sat down for about 25 minutes or so looking at how simple ssh is, you would be able to write a simple mod for ssh that saves a db of username->username@host:password like list.. and even take it one step further.. if the username the person ssh'd to is root.. have another attachment for sshd that every once in a while scp'd over your trojen ssh/sshd... and also every day or so, have the newly trojan'd machine connect to the 'master' machine on port 22 send the db over.. and wow.. Wait a few months and just think of all the little machines out there that would be sending you password info. This trojan took me about 3 days to write, although I never used it except on myself on my home network, and it was one of the first c programs I ever wrote. Just think what an expierenced c-coder/hacker with true intent to harm could do to us all. Moral.. Don't trust ssh. -Ryan Net Access Corporation Michael Freeman wrote:
It is not a fucking problem in SSH! Jesus christ, people do not listen. If it had anything to do with ssh, heres what happened. (speculation) A trusted host was compromised that Kit Knox or another rootshell staff member used, ssh was trojaned and passwords were snagged, and the intruder simply walked right in through the front door. Nothing sophisticated, nothing fancy, no ssh remote exploits.
On Thu, 29 Oct 1998, Adam D. McKenna wrote:
They claim they were running only qmail, apache and ssh, but who knows if that's true.
I have heard rumours about an ssh exploit but nothing concrete.
--Adam
-----Original Message----- From: Joe Shaw <jshaw@insync.net> To: JR Mayberry <rick@magpage.com> Cc: neil <neil@junior.uwc.ac.za>; Russ Haynal <russ@navigators.com>; nanog@merit.edu <nanog@merit.edu> Date: Thursday, October 29, 1998 2:36 PM Subject: Re: Rootshell pages hacked
I thought they were runnign qmail?
Joe
On Thu, 29 Oct 1998, JR Mayberry wrote:
Supposedly sendmail 8.9.1 is to blame, not ssh. http://www.sendmail.com/sendmail.8.9.1a.html
Moral.. Don't trust ssh.
-Ryan Net Access Corporation
Even though he works for me, I don't agree with him. SSH inherently itself is quite secure, obviously. I use it daily and encourage our staff to do the same. The exploit (really, trojan horse) that Ryan describes is something you can do on your own machine to capture other folks passwords. This, however, is true in most cases. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Atheism is a non-prophet organization. I route, therefore I am. Alex Rubenstein, alex@nac.net, KC2BUO, ISP/C Charter Member Father of the Network and Head Bottle-Washer Net Access Corporation, 9 Mt. Pleasant Tpk., Denville, NJ 07834 Don't choose a spineless ISP; we have more backbone! http://www.nac.net -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
SSh withouth S/KEy or some kind of one time password is useless in case of any compromyse passwords (except the case when you'd like to restrict acxcess to the trusted set of hosts). SSH itself do not believe to be a problem, UNIX one-time passwords are real problem. Another bad problem is _the same UNIX password for all purposes_ - I can sniff your FTP password and use it for SSH access (for example). On Sat, 31 Oct 1998, Michael Freeman wrote:
Date: Sat, 31 Oct 1998 14:45:51 +0000 (Local time zone must be set--see zic manual page) From: Michael Freeman <mikef@boris.talentsoft.com> To: "Adam D. McKenna" <adam@flounder.net> Cc: Joe Shaw <jshaw@insync.net>, JR Mayberry <rick@magpage.com>, neil <neil@junior.uwc.ac.za>, Russ Haynal <russ@navigators.com>, nanog@merit.edu Subject: Re: Rootshell pages hacked
It is not a fucking problem in SSH! Jesus christ, people do not listen. If it had anything to do with ssh, heres what happened. (speculation) A trusted host was compromised that Kit Knox or another rootshell staff member used, ssh was trojaned and passwords were snagged, and the intruder simply walked right in through the front door. Nothing sophisticated, nothing fancy, no ssh remote exploits.
On Thu, 29 Oct 1998, Adam D. McKenna wrote:
They claim they were running only qmail, apache and ssh, but who knows if that's true.
I have heard rumours about an ssh exploit but nothing concrete.
--Adam
-----Original Message----- From: Joe Shaw <jshaw@insync.net> To: JR Mayberry <rick@magpage.com> Cc: neil <neil@junior.uwc.ac.za>; Russ Haynal <russ@navigators.com>; nanog@merit.edu <nanog@merit.edu> Date: Thursday, October 29, 1998 2:36 PM Subject: Re: Rootshell pages hacked
I thought they were runnign qmail?
Joe
On Thu, 29 Oct 1998, JR Mayberry wrote:
Supposedly sendmail 8.9.1 is to blame, not ssh. http://www.sendmail.com/sendmail.8.9.1a.html
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
On Mon, 2 Nov 1998, Alex P. Rudnev wrote:
problem, UNIX one-time passwords are real problem. Another bad problem is _the same UNIX password for all purposes_ - I can sniff your FTP password and use it for SSH access (for example).
Very true. Then again, FTP'ing in cleartext is kinda stupid in and of itself. Why not just FTP thru an SSH tunnel? Or, if you're up for an adventure (and a not-totally-complete(TM) spec), try the secure file xfer stuff in SSH2...
At 09:51 AM 11/2/98 -0500, Adam Rothschild wrote:
On Mon, 2 Nov 1998, Alex P. Rudnev wrote:
problem, UNIX one-time passwords are real problem. Another bad problem is _the same UNIX password for all purposes_ - I can sniff your FTP password and use it for SSH access (for example).
Very true. Then again, FTP'ing in cleartext is kinda stupid in and of itself. Why not just FTP thru an SSH tunnel? Or, if you're up for an adventure (and a not-totally-complete(TM) spec), try the secure file xfer stuff in SSH2...
Or, for the unix-inclined, scp works rather well under SSH 1.2.x -- My public PGP key may be found at http://www.lightning.net/~jreddy John Patrick Reddy Sr. System Administrator Lightning Internet Services, LLC. Tel.(516)248-8400x123 327 Sagamore Ave Pag.(888)935-2700 Mineola, NY 11501 Fax.(516)248-8897
On Mon, 2 Nov 1998, John P. Reddy wrote:
At 09:51 AM 11/2/98 -0500, Adam Rothschild wrote:
On Mon, 2 Nov 1998, Alex P. Rudnev wrote:
problem, UNIX one-time passwords are real problem. Another bad problem is _the same UNIX password for all purposes_ - I can sniff your FTP password and use it for SSH access (for example).
Very true. Then again, FTP'ing in cleartext is kinda stupid in and of itself. Why not just FTP thru an SSH tunnel? Or, if you're up for an adventure (and a not-totally-complete(TM) spec), try the secure file xfer stuff in SSH2...
Or, for the unix-inclined, scp works rather well under SSH 1.2.x
You can also use some kind of terminal emulator and run zmodem over your ssh session. Works wonders with newer SecureCRT for instance. Then you also have resume if your download failes etc. ----- Mikael Abrahamsson email: swmike@swm.pp.se
participants (9)
-
Adam D. McKenna
-
Adam Rothschild
-
Alex P. Rudnev
-
alex@nac.net
-
C. Harald Koch
-
John P. Reddy
-
Michael Freeman
-
Mikael Abrahamsson
-
Ryan Pavely