Quoting Barry O'Donovan (barry.odonovan at ucd.ie):
> Included in this are all instances of USER and PASS sent over the
> network. (b at st@rd!)
>> My system is RH 7.2 with ALL UPDATES installed via up2date. Not sure
> how he got in yet. The box is behind the UCD firewall with only ssh,
> http, ftp (although no ftpd running) ports open (at least to my
> immediate knowledge).
So, there's a common fallacy in the *ix world that all you have to do,
in order to keep the blighters out, is keep your system's software
current and thus (with luck) eliminate vulnerabilities before they can
be exploited. (I used to think that, too.) But the preceding two
paragraphs, considered together, indicate a way things can and do happen
otherwise.
Let's say you operate an *ix box and have a limited number of
justifiably trusted people as shell users. (Maybe you're being
extravagantly paranoid, and are the _only_ shell user.) You carry out
all the recommended careful administrative practices, including running
and heeding Tripwire (and you indeed deserve congratulations for having
done so, by the way!). The only tool you ever use, or think of using,
for remote shell access is ssh. You don't run non-anonymous ftp. You
don't offer POP3. Thus, no remote-shell passwords are exposed in
plaintext.
But you or some other user sshes in. Inevitably, this include ssh'ing
in from boxes not under your administrative control. Let us say that
one such user sshes in from a security-compromised host. The intruder
who controls that host has, among his security-subverting measures,
installed a cracked ssh client that logs (and conveys to him) all
security tokens used by outgoing ssh sessions -- such as your user's
login password. The intruder now has the means to enter your system in
the guise of your user.
Once at the shell prompt of your system, his first priority is to crack
root access. Fortunately for him, it's far, far easier to do so at the
system's command prompt than from a remote location, because he can
attack any privileged process, instead of just running network daemons
exposed to remote access. (Moen's First Law of Security: It's easier
to break in from the inside.) Most *ix systems have _lots_ of such
targets installed -- and the intruder need succeed in buffer-overflowing
(etc.) only one. Now, he sets up a "rootkit" to hide his presence from
sysadmin scrutiny, building or retrieving things like the trojaned "ps"
binary that won't show his running processes. Last, he sets up
additional security-subverting mechanisms such as a trojaned ssh client.
Which will allow him to collect security tokens for _additional_
systems, allowing the game to perpetuate itself.
> Most likely I'll do a complete reinstall of RH 7.3. (once I find the
> vulnerbility).
I hope the above is some help, in explaining why there need not have
been a "vulnerability" in the sense you contemplate.
By the way, I hope your first step was to secure backup copies of all
files you care about. That should be immediately followed by putting
the intruder out of business, in my view.
--
Cheers, The difference between common sense and paranoia is that common sense
Rick Moen is thinking everyone is out to get you. That's normal; they are.
rick at linuxmafia.com Paranoia is thinking they're conspiring. -- J. Kegler
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
