Found, a new rootkit
John Summerfied
debian at herakles.homelinux.org
Wed Apr 5 13:00:11 UTC 2006
Craig White wrote:
> On Sat, 2006-04-01 at 08:42 +0800, John Summerfield wrote:
>
>>Craig White wrote:
>>
>>
>>>it's actually the fault of the admins who don't use any password
>>>checking mechanisms, but I suppose that it's more feasible to blame
>>>stupid users...of course, I would never do such a thing ;-)
>>
>>There is quite a deal of well-reasoned debate about what constitutes a
>>good password.
>>
>>First, one needs to be able to remember it without writing it down. This
>>meets Windows AD complexity requirements,
>>
>>10:72:94:e5:64:d5:68:51:d1:55:c0:2b:e5:4e:7f:fa
>
> ----
> of course Windows computers keep the hash lying around which is fairly
> easily cracked ;-)
If you're that close to the computer, all bets are off, Linux or
Windows: you don't need administrative rights to do lots of bad stuff.
> ----
>
>>but I defy anyone to remember it any time soon!
>>
>>"bismcoles" would probably be easy for Bill Smith to remember, and would
>>certainly defy any dictionary attack. As would "bluewatermelon."
>>
>>The expect package has a password generator that creates passwords like
>>this, but again they're hard to remember: "et3tUfGd."
>>
>>
>>A reasonable security system would shut down the login process for a
>>time after some number of consecutive failed login attempts. It's a rule
>>that's been around for a long time, it's even in Linux, but implemented
>>poorly.
>
> ----
> that's why you actually have think about what you are doing when you
> permit shell account access on a system that is exposed to the Internet.
ftp and email are good ways to enumerate accounts and look for
passwords. Having opened an account, then try for shell access:-\
--
Cheers
John
-- spambait
1aaaaaaa at computerdatasafe.com.au Z1aaaaaaa at computerdatasafe.com.au
Tourist pics http://portgeographe.environmentaldisasters.cds.merseine.nu/
do not reply off-list
More information about the fedora-list
mailing list