Rootshell pages hacked

Ryan Pavely paradox at nac.net
Sun Nov 1 02:43:21 UTC 1998


Well it just might have well been a problem with ssh.  People think
ssh is the most secure thing in the world.  If you sat down for about
25 minutes or so looking at how simple ssh is, you would be able to
write a simple mod for ssh that saves a db of
username->username at host:password like list.. and even take it one step
further.. if the username the person ssh'd to is root.. have another
attachment for sshd that every once in a while scp'd over your trojen
ssh/sshd... and also every day or so, have the newly trojan'd machine
connect to the 'master' machine on port 22 send the db over.. and wow..
Wait a few months and just think of all the little machines out there
that would be sending you password info.

This trojan took me about 3 days to write, although I never used it
except on myself on my home network, and it was one of the first c
programs I ever wrote.  Just think what an expierenced c-coder/hacker
with true intent to harm could do to us all.  

Moral.. Don't trust ssh.

					-Ryan
					  Net Access Corporation


Michael Freeman wrote:
> 
> It is not a fucking problem in SSH! Jesus christ, people do not listen.
> If it had anything to do with ssh, heres what happened. (speculation) A
> trusted host was compromised that Kit Knox or another rootshell staff
> member used, ssh was trojaned and passwords were snagged, and the intruder
> simply walked right in through the front door. Nothing sophisticated,
> nothing fancy, no ssh remote exploits.
> 
> On Thu, 29 Oct 1998, Adam D. McKenna wrote:
> 
> > They claim they were running only qmail, apache and ssh, but who knows if
> > that's true.
> >
> > I have heard rumours about an ssh exploit but nothing concrete.
> >
> > --Adam
> >
> > -----Original Message-----
> > From: Joe Shaw <jshaw at insync.net>
> > To: JR Mayberry <rick at magpage.com>
> > Cc: neil <neil at junior.uwc.ac.za>; Russ Haynal <russ at navigators.com>;
> > nanog at merit.edu <nanog at merit.edu>
> > Date: Thursday, October 29, 1998 2:36 PM
> > Subject: Re: Rootshell pages hacked
> >
> >
> > I thought they were runnign qmail?
> >
> > Joe
> >
> > On Thu, 29 Oct 1998, JR Mayberry wrote:
> >
> > > Supposedly sendmail 8.9.1 is to blame, not ssh.
> > > http://www.sendmail.com/sendmail.8.9.1a.html
> >
> >
> >
> >



More information about the NANOG mailing list