[100718] in RedHat Linux List
Re: Hacked! :(
daemon@ATHENA.MIT.EDU (Joerg Mertin)
Mon Nov 23 03:31:28 1998
Date: Mon, 23 Nov 1998 09:04:42 +0100
From: Joerg Mertin <smurphy@dspecialists.de>
To: redhat-list@redhat.com
Mail-Followup-To: redhat-list@redhat.com
In-Reply-To: <36576FB2.2F2@nook.net>; from Ramon Gandia on Sat, Nov 21, 1998 at 04:58:10PM -0900
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
On Sat, Nov 21, 1998 at 04:58:10PM -0900, Ramon Gandia wrote:
> Sean Harding wrote:
>
> > Not particularly. Any cracker who values his own time won't bother trying
> > to decrypt passwd entries. Time is better spent using a dictionary attack
> > program, such as Crack...
>
> Depends on how you set up your system. Normally, a telnet
> session will kick you off after 3 tries, and it is possible to
> add a delay in repeated attempts between the tree tries. If
> you do this, it could take *years* before someone could break
> in....
Hmmm. Dunno what you folks do, but, our Internet-Firewall/Router has only
a sshd daemon running on it. Deactivated inetd and all other Services
(Except timed). I guess, I´m on the Right side. BTW, there are only 3
Users that have access on this Box, and the Password of these where
Checked during a Week by Crack without a match :) ...
> news:x:9:13:/var/spool/news: <---- normal account.
> news:x:9:13:/var/spool/news:/bin/bash <----- cracked
Usually they Created an account named "shadow"
>
> It would take a sharp eye to catch this one. There are
> variants. Of course,, with the rootkit installed, the
> account name will be in /etc/passwd but it will not show
> up when listed with more, less, or cat. That is a *feature*
> of the rootkit. Nor will his home directory show up with
> ls, du and a few others. The rootkit is good at this sort
> of things.
I had a trick on this. On my time as Sysadmin at university, we had a lot
of Breakins unfortunatly. But I almost always found the buggers. The
funiest trick however was that I replaced a Version of w specially Hacked
for all, which produced a "No Hack" when called with: "w -w" :) It was
quite funny, cause, I almost everytime noticed a Hack-In, when this call
was showing me the Version number... and, to detect it, a rsh on w
(Through ssh of course), showed me if a Breaking occured or not. The Best
stuff was when the XFree-Bug occured. In one night, they broke into 23
Systems :) All I had to do was Fix the Bug on XFree, Regenerate a
Cpio-Filesystem archive and initiate the Automatic reinstall on all
Systems :) Took about 2 Hours to Update 120 Systems :)
Regards
--
I must have slipped a disk -- my pack hurts!
-------------------------------------------------------------------------
Systemverwalter: Joerg Mertin <smurphy@stardust.phantasia.org>
Phone : +49 30 467 805-71 DSPecialists GmbH
FAX: +49 30 467 805-99 Wattstraße 11-13
Email: <smurphy@DSPecialists.de> 13355 Berlin
WWW: http://www.DSPecialists.de Germany
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
