[vox-tech] X11 forward - used for hacking?

[Bill Kendrick]

Yesterday, Melissa noticed a strange X11 message appear while she was
using IRC.  A little while later, when she went to log off from the remote
system where she was running the IRC client (an ISP shell server),
it hung with a pair of X11 connections.

Today, something similar happened, and now I'm concerned:

  Waiting for forwarded connections to terminate...
  The following connections are open:
    X11 connection from proxyscan.xs4all.nl port 11219

I went in and changed the "ForwardX11" setting we had in "/etc/ssh/ssh_config",
since it's not useful any more.  (I think she used to log into her machine
upstairs and run some X apps remotely, but I guess it's been a while.)

What I'm afraid of, though, is that this might be some kind of roundabout
hack attempt.  However, I don't have a very good understanding of the kinds
of exploits that may be involved here.

We've contacted our ISP to let them know something fishy's going on, but
no response yet.  In the meantime, I'm wondering what people here think.

Is there some way that the following connection could be made?

  somewhere.nl --> isp --> melissa's laptop

Where all Melissa did was:   ssh shell.isp.com  ?


Scared of keyloggers,

-bill!
bill at newbreedsoftware.com              C is like an industrial strength
http://www.newbreedsoftware.com/       nail gun; if wielded improperly,
New Breed Software                       it can cause untold carnage.