Date: Wed, 19 Jan 2000 15:52:03 +0200 From: Marc Silver <marcs@is.co.za> To: Stephan van Beerschoten <stephanb@luna.nl> Cc: freebsd-security@FreeBSD.ORG Subject: Re: ssh-feature 'backdoor' Message-ID: <20000119155203.C8404@is.co.za> In-Reply-To: <20000119134325.J2167@supra.rotterdam.luna.net> References: <20000119134325.J2167@supra.rotterdam.luna.net>
next in thread | previous in thread | raw e-mail | index | archive | help
That should never happen if this line is in your sshd_config file: PermitRootLogin no I think it's better to log in as your user and then su to root. Cheers, Marc On Wed, Jan 19, 2000 at 01:43:25PM +0100, Stephan van Beerschoten wrote: > I have discovered the obvious .. > > I was helping a friend of me who admin's a couple of > machines to find left-overs from hacks.. (The machine is > used for these kind of playfull thingies) and we discovered > something which other admins might not see because they > don't think of it as a valid entry-point. > > sshd accepts connections with the rsa-key system (I love the > system, I hop from one system to the next using this system > and the ssh-agent running), but a hacker has created an > ~root/.ssh/authorized_keys file with his own key in it. > > The comment on the key was root@<machinename removed> so > for the 'default' admin the key would not look like something > which should not be there .. but it was the hacker's way to > simply ssh to the bos, enter his rsa passphrase (or let the > ssh-agent take care of it) and he was in, having all the time > to erase his presence from logs etc. > > Just a hint.. watch the ~root/.ssh dir. > > -Steve > > -- > Stephan van Beerschoten Email: stephanb@luna.nl > Network Engineer Luna Internet Services > PGP fingerprint 4557 9761 B212 FB4C 778D 3529 C42A 2D27 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Marc Silver IS Hosting Infrastructure The Internet Solution Tel: (+27 11) 283 5500 Fax: (+27 11) 283 5001 E-mail: marcs@is.co.za Web: www.is.co.za To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000119155203.C8404>