[21160] in North American Network Operators' Group
Re: Rootshell pages hacked
daemon@ATHENA.MIT.EDU (Alex P. Rudnev)
Thu Nov 5 14:21:41 1998
Date: Thu, 5 Nov 1998 22:00:09 +0300 (MSK)
From: "Alex P. Rudnev" <alex@Relcom.EU.net>
To: Michael Freeman <mikef@boris.talentsoft.com>
cc: dhiraj murthy <soa@funkytekno.exodus.net>,
"Adam D. McKenna" <adam@flounder.net>, Joe Shaw <jshaw@insync.net>,
JR Mayberry <rick@magpage.com>, neil <neil@junior.uwc.ac.za>,
Russ Haynal <russ@navigators.com>, nanog@merit.edu
In-Reply-To: <Pine.LNX.3.96.981105122924.24311A-100000@boris.talentsoft.com>
Btw. I know exactly where does hackers get troyaned SSHD from, and I am
sure they begin to install it more and more. We can't exclude if some day
the original SSH daemon /or, for a joke, Microsoft NT/) will be troyaned
from the very start point.
On Thu, 5 Nov 1998, Michael Freeman wrote:
> Date: Thu, 5 Nov 1998 12:30:11 +0000 (Local time zone must be set--see zic manual page)
> From: Michael Freeman <mikef@boris.talentsoft.com>
> To: "Alex P. Rudnev" <alex@relcom.EU.net>
> Cc: dhiraj murthy <soa@funkytekno.exodus.net>,
> "Adam D. McKenna" <adam@flounder.net>, Joe Shaw <jshaw@insync.net>,
> JR Mayberry <rick@magpage.com>, neil <neil@junior.uwc.ac.za>,
> Russ Haynal <russ@navigators.com>, nanog@merit.edu
> Subject: Re: Rootshell pages hacked
>
> Me three. If they don't turn up I think I am going to make the
> modifications myself. I am using an old s/key implmentation though, from
> thumper.bellcore.net I believe, anyone know of any others? Thanks.
>
> On Thu, 5 Nov 1998, Alex P. Rudnev wrote:
>
> > Btw, it's of great interest for me too.
> >
> >
> > On Thu, 5 Nov 1998, dhiraj murthy wrote:
> >
> > > Date: Thu, 5 Nov 1998 11:49:19 -0500 (EST)
> > > From: dhiraj murthy <soa@funkytekno.exodus.net>
> > > To: "Alex P. Rudnev" <alex@Relcom.EU.net>
> > > Cc: Michael Freeman <mikef@boris.talentsoft.com>,
> > > "Adam D. McKenna" <adam@flounder.net>, Joe Shaw <jshaw@insync.net>,
> > > JR Mayberry <rick@magpage.com>, neil <neil@junior.uwc.ac.za>,
> > > Russ Haynal <russ@navigators.com>, nanog@merit.edu
> > > Subject: Re: Rootshell pages hacked
> > >
> > > I am trying to get ssh working with skey. anyone know where to get patches
> > > to force 1.2.6 to do this?
> > >
> > > thanks,
> > >
> > > -dhiraj
> > >
> > > On Mon, 2 Nov 1998, Alex P. Rudnev wrote:
> > >
> > > > SSh withouth S/KEy or some kind of one time password is useless in case
> > > > of any compromyse passwords (except the case when you'd like to restrict
> > > > acxcess to the trusted set of hosts). SSH itself do not believe to be a
> > > > problem, UNIX one-time passwords are real problem. Another bad problem is
> > > > _the same UNIX password for all purposes_ - I can sniff your FTP password
> > > > and use it for SSH access (for example).
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Sat, 31 Oct 1998, Michael Freeman wrote:
> > > >
> > > > > Date: Sat, 31 Oct 1998 14:45:51 +0000 (Local time zone must be set--see zic manual page)
> > > > > From: Michael Freeman <mikef@boris.talentsoft.com>
> > > > > To: "Adam D. McKenna" <adam@flounder.net>
> > > > > Cc: Joe Shaw <jshaw@insync.net>, JR Mayberry <rick@magpage.com>,
> > > > > neil <neil@junior.uwc.ac.za>, Russ Haynal <russ@navigators.com>,
> > > > > nanog@merit.edu
> > > > > Subject: Re: Rootshell pages hacked
> > > > >
> > > > > It is not a fucking problem in SSH! Jesus christ, people do not listen.
> > > > > If it had anything to do with ssh, heres what happened. (speculation) A
> > > > > trusted host was compromised that Kit Knox or another rootshell staff
> > > > > member used, ssh was trojaned and passwords were snagged, and the intruder
> > > > > simply walked right in through the front door. Nothing sophisticated,
> > > > > nothing fancy, no ssh remote exploits.
> > > > >
> > > > > On Thu, 29 Oct 1998, Adam D. McKenna wrote:
> > > > >
> > > > > > They claim they were running only qmail, apache and ssh, but who knows if
> > > > > > that's true.
> > > > > >
> > > > > > I have heard rumours about an ssh exploit but nothing concrete.
> > > > > >
> > > > > > --Adam
> > > > > >
> > > > > > -----Original Message-----
> > > > > > From: Joe Shaw <jshaw@insync.net>
> > > > > > To: JR Mayberry <rick@magpage.com>
> > > > > > Cc: neil <neil@junior.uwc.ac.za>; Russ Haynal <russ@navigators.com>;
> > > > > > nanog@merit.edu <nanog@merit.edu>
> > > > > > Date: Thursday, October 29, 1998 2:36 PM
> > > > > > Subject: Re: Rootshell pages hacked
> > > > > >
> > > > > >
> > > > > > I thought they were runnign qmail?
> > > > > >
> > > > > > Joe
> > > > > >
> > > > > > On Thu, 29 Oct 1998, JR Mayberry wrote:
> > > > > >
> > > > > > > Supposedly sendmail 8.9.1 is to blame, not ssh.
> > > > > > > http://www.sendmail.com/sendmail.8.9.1a.html
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > > Aleksei Roudnev, Network Operations Center, Relcom, Moscow
> > > > (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
> > > > (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
> > > >
> > >
> > >
> >
> > Aleksei Roudnev, Network Operations Center, Relcom, Moscow
> > (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
> > (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
> >
>
>
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
