On Tue, Jun 08, 2004 at 05:34:12PM -0700, Ken Herron wrote: > Given that the remote host is called "proxyscan", they seem to be > operating in the open. Some IRC servers will scan clients (see > <http://help.undernet.org/proxyscan/> for example), and some anti-spam > tactics involve proxy-scanning hosts trying to send mail.
I was talking to Jeff Newmiller and Dmitriy Ivanov on #lugod just now, and that's pretty much what they mentioned. The odd thing is, she had only IRC'd to some local servers in the last 6 months, and I don't think any of them run anything like that. HOWEVER, _I_ probably IRC'd to irc.freenode.net at some point, and I just checked and they mention: *** - Freenode runs an open proxy scanner, (www.blitzed.org/bopm), as *** - described on our policy page *** - (http://freenode.net/policies.shtml#proxies). Your use of *** - the network indicates your acceptance of this policy. For your *** - convenience, reverse DNS for servers running the scanner return the *** - hostname "freenode-proxyscanner.acc.umu.se". Still not the same host, but... Also, she doesn't send mail locally, but does from the ISP's shell. *shrug* > >Is there some way that the following connection could be made? > > > > somewhere.nl --> isp --> melissa's laptop > > > >Where all Melissa did was: ssh shell.isp.com ? > > Oh, sure. As I'm sure you know, X11 client-server connections normally > run over TCP. When you connect to a remote host using ssh with X11 > forwarding, the ssh daemon on the remote system sets up an X11 listener > port for clients to connect to. Depending on how the ssh daemon is > configured, the X11 listener port can be confined to localhost, or it can > be accessible over the network. "ForwardX11" was set locally on her laptop, and I saw "X11Forwarding yes" in the ISP's "/etc/sshd_config", so maybe that's how it happened. Jeff, Dmitriy and I think it's _probably_ nothing to worry about, and the removal of "ForwardX11" from the laptop's SSH options should probably just make the issue go away. I also checked /etc/hosts.allow and ran nmap just to make sure nothing mysterious was running. (The "9999" on my own personal box scared the crap out of me for a sec, until I remembered I'm running apt-proxy there. :) ) We're also behind a firewall (err, except WAP needs to be stuck in a DMZ one of these days; I leave it off 99% of the time, though). It currently only allows IDENT and some bittorrent-related stuff through. <snip> > Otherwise, they > would have had the same access to your display as any other client (which > is pretty serious from a security standpoint). Yeaaah... that's what I was guessing. Scary. I'll post more if anything else happens. In the meantime, I think it's about time I changed all my passwords. ;) -bill! _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech