[lug] Hacked SSH Daemon

Sean Reifschneider jafo at tummy.com
Sat Sep 8 22:22:34 MDT 2007


On Sat, Sep 08, 2007 at 05:56:06PM -0600, Carl Hamlin wrote:
>Does this seem like a joyriding expedition, or was there objectively
>valuable data on the machine?

The vast majority of the successful attacks I've seen in the last 10 years
were all about getting more machines to launch attacks from.  I can only
remember one attack where I found the attackers were getting into any sort
of privileged data on the system.

To give you an idea of scope, I'd say we're currently managing on the order
of 500 machines for our clients.  However, we run a pretty tight ship, so
we probably see fewer successful attacks and the attacks we do see tend to
be more limited (the majority only get unprivileged access).

This is one of the issues with webmin -- it runs as root, directly
accessible from the Net unless you lock it down, and it includes all these
modules (and additional modules can be installed by that very same web
interface) which do things that most web admins probably shouldn't have
anyway, like "run an arbitrary set of commands on the machine as root".

Sean
-- 
 How does a girl like you get to be a girl like you?
                 -- _North_by_Northwest_
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995: Ask me about High Availability




More information about the LUG mailing list