[20926] in North American Network Operators' Group
Re: Rootshell pages hacked
daemon@ATHENA.MIT.EDU (C. Harald Koch)
Thu Oct 29 15:54:29 1998
To: "Adam D. McKenna" <adam@flounder.net>
cc: nanog@merit.edu
In-reply-to: adam's message of "Thu, 29 Oct 1998 14:38:44 -0500".
<04c601be0373$c0dc2d90$e50984a9@flounder.telecom.idt.net>
From: "C. Harald Koch" <chk@utcc.utoronto.ca>
Date: Thu, 29 Oct 1998 15:03:49 -0500
In message <04c601be0373$c0dc2d90$e50984a9@flounder.telecom.idt.net>, "Adam D. McKenna" writes:
> They claim they were running only qmail, apache and ssh, but who knows if
> that's true.
>
> I have heard rumours about an ssh exploit but nothing concrete.
I know of some interesting sites that were hacked into "using ssh" recently.
The trick is to attack the SSH *client* machine, and them take advantage of
things like a running ssh-agent and existing authorized_keys files to connect
to the server host using the existing (valid) trust relationship. This isn't
an SSH bug, merely a standard side effect of distributed trust.
--
C. Harald Koch <chk@utcc.utoronto.ca>
"It takes a child to raze a village."
-Michael T. Fry
