[vox] Re: Password NOT stolen at linuxworld

Ryan Castellucci vox@lists.lugod.org
Sun, 17 Aug 2003 06:58:27 -0700


On Sun, Aug 17, 2003 at 06:03:26AM -0700, Ryan Castellucci wrote:
> On Sun, Aug 17, 2003 at 05:01:30AM -0700, Ryan Castellucci wrote:
> > On Mon, Aug 11, 2003 at 01:42:08PM -0700, Ryan Castellucci wrote:
> > > OK, guys, here's the scoop... Somebody 0wned my system at
> > > work, running debian testing. Installed this lovely password
> > > logger, and snagged my password when I used SCPed a file.
> > > I found a log file at /usr/lib/mem/mem
> > > 
> > > Bastards....
> > 
> > Well, looks like someone installed the same rootkit on cal.net's
> > shell on or about april 24...
> > 
> > There's a rather large /usr/lib/mem/mem file on there, and I may
> > have ssh'd into zaphod from cal.net's shell server, and this
> > jackass got in from there. I am very, very irritated.
> 
> Yup... I just looked at my .ssh/known_hosts
> 
> So this is largely cal.net's fault.

Then again, I should have been assuming my keystrokes were being
recorded and others were looking at my files, as it wasn't my box.