l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 7: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2003 Aug 10 18:06

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] password stolen at linuxworld
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] password stolen at linuxworld



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Someone at linux world seems to have gotten ahold of my ssh user password 
from when I used it at linuxworld. They logged into my system this evening, 
and used my password to get a root shell via sudo, and possibly installed a 
rootkit. My log files were tampered with, and a processes is being hidden 
from the usual tools.

A connection to my ssh server came again early this morning from 
134.173.85.208, which failed, as I had set up a program to log connections on 
that port and drop them.

My server hosted at work my also have been adulterated. (shut down pending 
examination)

If this was any of you, know that I am not amused by this. Cleanup is a 
serious PITA, as I have to check all the servers at work of irregularities.

This will be somewhat easier as those machines log to a remote system, and 
have no direct access to logs.

I suspect that my password was either sholder surfed (unlikely, it'd be hard 
to memorize....) or someone was runnning man-in-the-middle attacks, and 
forced an SSHv1 session to prevent a warning, simply prompting for a new key.

Lucky for me, this password is not used for anthing other then logins on my 
personal machines, but the attacker may have had about 3 hours to play with 
my ssh keys (since removed from all authorized_keys files)

I will check my laptop's ssh known hosts on Monday to tell for 
sure.134.173.85.208

- -- 
PGP/GPG Fingerprint: 3B30 C6BE B1C6 9526 7A90  34E7 11DF 44F3 7217 7BC7
On pgp.mit.edu, import with `gpg --keyserver pgp.mit.edu --recv-key 72177BC7`
Also available at http://www.cal.net/~ryan/ryan_at_mother_dot_com.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/NiwNEd9E83IXe8cRAvSPAJ47B2jZsKhZIVp8Tc/VNv9ETatk3wCeIP0O
qWvWyeFdip1tc0Hf738OpNY=
=Kn75
-----END PGP SIGNATURE-----
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.