On Wed, Dec 03, 2003 at 11:47:54AM -0800, Hal Pomeranz wrote: > The only thing that worries me about the write up is the fact that a > "sniffed password" was used to break into several machines. I have to > ask why they're not using SSH for all communications to/from these > boxes and why they're not using something better than re-usable passwords > for access control.
I'm concerned about this to. Not only that they passwords were sent in a sniffable format, but also in a medium that was sniffable. How did the attacker sniff packets between developer machines and debian.org? Unless they cracked a box in between somewhere, anywhere. > Sloppy work on the attackers' part in leaving the exploit code behind > so that it could be analyzed, btw. All you can say is, "thanks very much." This isn't necessarily sloppy work. Have you looked at The Coroner's Toolkit[1] by Wietse Venema (author of postfix) and Dan Farmer? This is basically a unix undelete. The attacker could very well have erased their already encrypted exploit binary, and tct or even a dd image could have recovered it unless they overwrote the particular disk blocks. [1] http://www.porcupine.org/forensics/ Cory -- Cory Petkovsek Adapting Information Adaptable IT Consulting Technology to your (541) 914-8417 business [EMAIL PROTECTED] www.AdaptableIT.com _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
