lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <769E8CE8D1A0BF438B62C3DB10C60B9F352091@mtccexchg04.ad.bmhcc.org>
From: Stephen.Agar at bmhcc.org (Stephen Agar)
Subject: !SPAM! Automated ssh scanning

I think many of you are missing the point. Yes the guest/guest account is
weak, but this kernel is (according to debian) patched..therefore free from
local exploits that can be used to gain superuser access. I mean if this
were the case, then any box that ran this version of debian to do something
like "web hosting" that gave users shell access, may as well give them all
full sudo. Because you people are assuming that if someone can gain access
to the box, secured or not, they can gain root..i disagree.

I feel totally confident that if you gain access to my FreeBSD 4.10 box with
an unpriveleged account (not that you will, of course) then you will remain
an "unpriveleged user" no local root exploit....no worries.

--stephen 

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Todd Towles
> Sent: Thursday, August 26, 2004 8:12 AM
> To: Richard Verwayen; FD
> Subject: RE: !SPAM! [Full-Disclosure] Automated ssh scanning
> 
>  The kernel could be save. But with weak passwords, you are 
> toast. Any automated tool would test guest/guest. 
> 
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Richard Verwayen
> Sent: Thursday, August 26, 2004 6:08 AM
> To: 'FD'
> Subject: RE: !SPAM! [Full-Disclosure] Automated ssh scanning
> 
> On Thu, 2004-08-26 at 11:47, Yaakov Yehudi wrote:
> > In spite of many reports to the contrary, Linux is _not_ secure by
> default.
> > Did you harden it?  There is a lot of documentation on the 
> web as to 
> > how to go about it.
> > 
> > YY
> Hello Yaakov,
> 
> This system was a pure debian woody none-production one with 
> all services disabled - just ssh was left open in order to 
> see for what purpose the scan was! Yes, there was a guest 
> account with a weak passwort (guest) on it! 
> And yes, they logged in and became root in no time. But I 
> thought the kernel compiled from the latest debian woody 
> kernel-source could be considered to be save. But I was 
> wrong! So I posted the tools used by the attackers to this 
> list and also to the debian security team.
> 
> Richard
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ