[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Re: [K12OSN] I got hacked.........

On Tue, 9 Apr 2002, Stephen J Smoogen wrote:

>Here is my general advice on a hacked machine.

Ack! You barely beat me to it. I'll just add the diff from the email I was
about to send...

>2) Do not use the 'compromised' system, and treat any other systems around as possible compromised systems.  Jim's advice of removing the compromised system's hard-drive and putting another one is good advice especially if you go through 1). 

And be sure to assume that the hacker knows all the passwords to your other
systems. Any "trust" relationships you have setup between servers will have
been exploited as well. In short, be sure to check all of your other servers,
change all of your passwords, etc, etc.

>4) From your explanation (which I understand is a 10,000 meter view of it), I really dont think it is ssh that is the problem. Problems it could be:

I agree that it was probably not ssh as well, but it could have been if it
was an old version. Are you using OpenSSH 3.0?

I still see heavy scanning for the SSH1 vulnerability.

> c) if it is ssh, then it is most likely someone has a compromised client. This is where the black-hat changes the ssh client into one that logs passwords.. this happens a lot at universities/internet cafes. Some person logs into their box not knowing their every keystroke is logged.

A bit off-topic, but I use MindTerm - a JAVA SSH client - when connecting
out from an untrusted workstation. Still doesn't fix all of the problem, but
at least I know the SSH client itself is not compromised.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]