l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2004 Jun 08 19:14

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] X11 forward - used for hacking?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] X11 forward - used for hacking?

On Tue, Jun 08, 2004 at 05:34:12PM -0700, Ken Herron wrote:
> Given that the remote host is called "proxyscan", they seem to be 
> operating in the open. Some IRC servers will scan clients (see 
> <http://help.undernet.org/proxyscan/> for example), and some anti-spam 
> tactics involve proxy-scanning hosts trying to send mail.

I was talking to Jeff Newmiller and Dmitriy Ivanov on #lugod just now, and
that's pretty much what they mentioned.

The odd thing is, she had only IRC'd to some local servers in the
last 6 months, and I don't think any of them run anything like that.
HOWEVER, _I_ probably IRC'd to irc.freenode.net at some point, and I
just checked and they mention:

  *** - Freenode runs an open proxy scanner, (www.blitzed.org/bopm), as
  *** - described on our policy page
  *** - (http://freenode.net/policies.shtml#proxies).  Your use of
  *** - the network indicates your acceptance of this policy.  For your
  *** - convenience, reverse DNS for servers running the scanner return the
  *** - hostname "freenode-proxyscanner.acc.umu.se".

Still not the same host, but...

Also, she doesn't send mail locally, but does from the ISP's shell.

> >Is there some way that the following connection could be made?
> >
> >  somewhere.nl --> isp --> melissa's laptop
> >
> >Where all Melissa did was:   ssh shell.isp.com  ?
> Oh, sure. As I'm sure you know, X11 client-server connections normally 
> run over TCP. When you connect to a remote host using ssh with X11 
> forwarding, the ssh daemon on the remote system sets up an X11 listener 
> port for clients to connect to. Depending on how the ssh daemon is 
> configured, the X11 listener port can be confined to localhost, or it can 
> be accessible over the network.

"ForwardX11" was set locally on her laptop, and I saw "X11Forwarding yes"
in the ISP's "/etc/sshd_config", so maybe that's how it happened.

Jeff, Dmitriy and I think it's _probably_ nothing to worry about, and the
removal of "ForwardX11" from the laptop's SSH options should probably just
make the issue go away.

I also checked /etc/hosts.allow and ran nmap just to make sure nothing
mysterious was running.  (The "9999" on my own personal box scared the
crap out of me for a sec, until I remembered I'm running apt-proxy there. :) )

We're also behind a firewall (err, except WAP needs to be stuck in a DMZ one
of these days; I leave it off 99% of the time, though).  It currently only
allows IDENT and some bittorrent-related stuff through.

> Otherwise, they 
> would have had the same access to your display as any other client (which 
> is pretty serious from a security standpoint).

Yeaaah... that's what I was guessing.  Scary.  I'll post more if anything
else happens.

In the meantime, I think it's about time I changed all my passwords. ;)

vox-tech mailing list

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!