[Note: The attack avenue detailed below was used to compromise the entire sensitive corporate network at a firm where I worked at the time. The attacker stole a legitimate user's ssh login credentials at a college server, followed him into his legitimate account at a public shell server for open source software maintainers operated by my firm, used that shell account to find a local root exploit, and replaced the shell server's /usr/bin/ssh with one that he'd trojaned to convey subsequent login credentials to him. One of the firm's IT staff (not me) then made the error of ssh'ing out into the public shell server from the sensitive corporate network, and then ssh'ing or scp'ing back into the sensitive corporate network -- allowing the intruder into the firm. Names are omitted because (among other things) they're not important: The point is that this mode of compromise can occur anywhere, if you use access credentials into your machine from outside machines you don't control and have confidence in.]

From rick Tue May 28 08:48:53 2002
Date: Tue, 28 May 2002 08:48:53 -0700
To: ilug@linux.ie
Subject: Re: [ILUG] Possible hack?

Quoting Barry O'Donovan (barry.odonovan@ucd.ie):

> Included in this are all instances of USER and PASS sent over the
> network. (b@st@rd!)
> My system is RH 7.2 with ALL UPDATES installed via up2date. Not sure
> how he got in yet. The box is behind the UCD firewall with only ssh,
> http, ftp (although no ftpd running) ports open (at least to my
> immediate knowledge).

So, there's a common fallacy in the *ix world that all you have to do, in order to keep the blighters out, is keep your system's software current and thus (with luck) eliminate vulnerabilities before they can be exploited. (I used to think that, too.) But the preceding two paragraphs, considered together, indicate a way things can and do happen otherwise.

Let's say you operate an *ix box and have a limited number of justifiably trusted people as shell users. (Maybe you're being extravagantly paranoid, and are the only shell user.) You carry out all the recommended careful administrative practices, including running and heeding Tripwire (and you indeed deserve congratulations for having done so, by the way!). The only tool you ever use, or think of using, for remote shell access is ssh. You don't run non-anonymous ftp. You don't offer POP3. Thus, no remote-shell passwords are exposed in plaintext.

But you or some other user sshes in. Inevitably, this includes ssh'ing in from boxes not under your administrative control. Let us say that one such user sshes in from a security-compromised host. The intruder who controls that host has, among his security-subverting measures, installed a cracked ssh client that logs (and conveys to him) all security tokens used by outgoing ssh sessions — such as your user's login password. The intruder now has the means to enter your system in the guise of your user.

Once at the shell prompt of your system, his first priority is to crack root access. Fortunately for him, it's far, far easier to do so at the system's command prompt than from a remote location, because he can attack any privileged process, instead of just running network daemons exposed to remote access. (Moen's First Law of Security: It's easier to break in from the inside.) Most *ix systems have lots of such targets installed — and the intruder need succeed in buffer-overflowing (etc.) only one. Now, he sets up a "rootkit" to hide his presence from sysadmin scrutiny, building or retrieving things like the trojaned "ps" binary that won't show his running processes. Last, he sets up additional security-subverting mechanisms such as a trojaned ssh client. Which will allow him to collect security tokens for additional systems, allowing the game to perpetuate itself.

> Most likely I'll do a complete reinstall of RH 7.3. (once I find the
> vulnerability).

I hope the above is some help, in explaining why there need not have been a "vulnerability" in the sense you contemplate.

By the way, I hope your first step was to secure backup copies of all files you care about. That should be immediately followed by putting the intruder out of business, in my view.

Cheers,   The difference between common sense and paranoia is that common sense
Rick Moen     is thinking everyone is out to get you.  That's normal; they are.
rick@linuxmafia.com      Paranoia is thinking they're conspiring.  -- J. Kegler