Date: Wed, 19 Jan 2000 13:43:25 +0100 From: Stephan van Beerschoten <stephanb@luna.nl> To: freebsd-security@FreeBSD.ORG Subject: ssh-feature 'backdoor' Message-ID: <20000119134325.J2167@supra.rotterdam.luna.net>
next in thread | raw e-mail | index | archive | help
I have discovered the obvious .. I was helping a friend of me who admin's a couple of machines to find left-overs from hacks.. (The machine is used for these kind of playfull thingies) and we discovered something which other admins might not see because they don't think of it as a valid entry-point. sshd accepts connections with the rsa-key system (I love the system, I hop from one system to the next using this system and the ssh-agent running), but a hacker has created an ~root/.ssh/authorized_keys file with his own key in it. The comment on the key was root@<machinename removed> so for the 'default' admin the key would not look like something which should not be there .. but it was the hacker's way to simply ssh to the bos, enter his rsa passphrase (or let the ssh-agent take care of it) and he was in, having all the time to erase his presence from logs etc. Just a hint.. watch the ~root/.ssh dir. -Steve -- Stephan van Beerschoten Email: stephanb@luna.nl Network Engineer Luna Internet Services PGP fingerprint 4557 9761 B212 FB4C 778D 3529 C42A 2D27 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000119134325.J2167>