[vox] password stolen at linuxworld
Ryan Castellucci
vox@lists.lugod.org
Sun, 10 Aug 2003 04:26:57 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Someone at linux world seems to have gotten ahold of my ssh user password=
=20
from when I used it at linuxworld. They logged into my system this evenin=
g,=20
and used my password to get a root shell via sudo, and possibly installed=
a=20
rootkit. My log files were tampered with, and a processes is being hidden=
=20
from the usual tools.
A connection to my ssh server came again early this morning from=20
134.173.85.208, which failed, as I had set up a program to log connection=
s on=20
that port and drop them.
My server hosted at work my also have been adulterated. (shut down pendin=
g=20
examination)
If this was any of you, know that I am not amused by this. Cleanup is a=20
serious PITA, as I have to check all the servers at work of irregularitie=
s.
This will be somewhat easier as those machines log to a remote system, an=
d=20
have no direct access to logs.
I suspect that my password was either sholder surfed (unlikely, it'd be h=
ard=20
to memorize....) or someone was runnning man-in-the-middle attacks, and=20
forced an SSHv1 session to prevent a warning, simply prompting for a new =
key.
Lucky for me, this password is not used for anthing other then logins on =
my=20
personal machines, but the attacker may have had about 3 hours to play wi=
th=20
my ssh keys (since removed from all authorized_keys files)
I will check my laptop's ssh known hosts on Monday to tell for=20
sure.134.173.85.208
- --=20
PGP/GPG Fingerprint: 3B30 C6BE B1C6 9526 7A90 34E7 11DF 44F3 7217 7BC7
On pgp.mit.edu, import with `gpg --keyserver pgp.mit.edu --recv-key 72177=
BC7`
Also available at http://www.cal.net/~ryan/ryan_at_mother_dot_com.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/NiwNEd9E83IXe8cRAvSPAJ47B2jZsKhZIVp8Tc/VNv9ETatk3wCeIP0O
qWvWyeFdip1tc0Hf738OpNY=3D
=3DKn75
-----END PGP SIGNATURE-----