[vox-tech] X11 forward - used for hacking?

Bill Kendrick nbs at sonic.net
Tue Jun 8 17:46:19 PDT 2004 

On Tue, Jun 08, 2004 at 05:34:12PM -0700, Ken Herron wrote:
> Given that the remote host is called "proxyscan", they seem to be 
> operating in the open. Some IRC servers will scan clients (see 
> <http://help.undernet.org/proxyscan/> for example), and some anti-spam 
> tactics involve proxy-scanning hosts trying to send mail.

I was talking to Jeff Newmiller and Dmitriy Ivanov on #lugod just now, and
that's pretty much what they mentioned.

The odd thing is, she had only IRC'd to some local servers in the
last 6 months, and I don't think any of them run anything like that.
HOWEVER, _I_ probably IRC'd to irc.freenode.net at some point, and I
just checked and they mention:

  *** - Freenode runs an open proxy scanner, (www.blitzed.org/bopm), as
  *** - described on our policy page
  *** - (http://freenode.net/policies.shtml#proxies).  Your use of
  *** - the network indicates your acceptance of this policy.  For your
  *** - convenience, reverse DNS for servers running the scanner return the
  *** - hostname "freenode-proxyscanner.acc.umu.se".

Still not the same host, but...

Also, she doesn't send mail locally, but does from the ISP's shell.
*shrug*


> >Is there some way that the following connection could be made?
> >
> >  somewhere.nl --> isp --> melissa's laptop
> >
> >Where all Melissa did was:   ssh shell.isp.com  ?
> 
> Oh, sure. As I'm sure you know, X11 client-server connections normally 
> run over TCP. When you connect to a remote host using ssh with X11 
> forwarding, the ssh daemon on the remote system sets up an X11 listener 
> port for clients to connect to. Depending on how the ssh daemon is 
> configured, the X11 listener port can be confined to localhost, or it can 
> be accessible over the network.

"ForwardX11" was set locally on her laptop, and I saw "X11Forwarding yes"
in the ISP's "/etc/sshd_config", so maybe that's how it happened.


Jeff, Dmitriy and I think it's _probably_ nothing to worry about, and the
removal of "ForwardX11" from the laptop's SSH options should probably just
make the issue go away.

I also checked /etc/hosts.allow and ran nmap just to make sure nothing
mysterious was running.  (The "9999" on my own personal box scared the
crap out of me for a sec, until I remembered I'm running apt-proxy there. :) )

We're also behind a firewall (err, except WAP needs to be stuck in a DMZ one
of these days; I leave it off 99% of the time, though).  It currently only
allows IDENT and some bittorrent-related stuff through.


<snip>
> Otherwise, they 
> would have had the same access to your display as any other client (which 
> is pretty serious from a security standpoint).

Yeaaah... that's what I was guessing.  Scary.  I'll post more if anything
else happens.

In the meantime, I think it's about time I changed all my passwords. ;)

-bill!

More information about the vox-tech mailing list