lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1093542315.541.32.camel@localhost>
From: frank at knobbe.us (Frank Knobbe)
Subject: Automated ssh scanning

On Wed, 2004-08-25 at 17:32, Richard Verwayen wrote:
> The attackers installed some software and irc-bots and tried to use this
> host for testing other computers, thats not the point. I would like to
> know where's the weak point in the system? As the system was updates on
> a daily base! The only known weakness were these two accounts!

How do you know what they brought in? Do you have shell history files
available? Care to share them with us? Shell history should (if left
over) should give a clue to not just what they brought in, but also how
they used it. That will answer your question as to what local root
exploit they used.

If you don't have shell history files left over, try repeating the
experiment with .history hard-linked to something like
.opera/adprefs.ini (create other .opera/ files as cover). Once they
clean up and delete the .history file, you should be left with a copy in
.opera/adprefs.ini. (Depending on the clue level of the script kiddie he
may not find the linked copy).

If you do have .history content, or other log info, pleas share it here
with us.

Regards,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040826/511a5141/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ