Full Disclosure mailing list archives
RE: !SPAM! Automated ssh scanning
From: Ron DuFresne <dufresne () winternet com>
Date: Thu, 26 Aug 2004 12:26:04 -0500 (CDT)
On Thu, 26 Aug 2004, Stephen Agar wrote:
I think many of you are missing the point. Yes the guest/guest account is weak, but this kernel is (according to debian) patched..therefore free from local exploits that can be used to gain superuser access. I mean if this were the case, then any box that ran this version of debian to do something like "web hosting" that gave users shell access, may as well give them all full sudo. Because you people are assuming that if someone can gain access to the box, secured or not, they can gain root..i disagree.
The issue here is why does debain include such a weak account,m thaqt has not been tamed via a very restricted chroot env!?
I feel totally confident that if you gain access to my FreeBSD 4.10 box with an unpriveleged account (not that you will, of course) then you will remain an "unpriveleged user" no local root exploit....no worries.
As Barry pointed to directly, it all depends upon what you make available to your clients once in a shell. It;s very likely your server would be as exploitable as most 'default' installs with the kitchen sink dropped in. Perhaps not, but likely, depending upon what you 'installed and allow clients access to'. Thanks, Ron DuFresne
--stephen-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Todd Towles Sent: Thursday, August 26, 2004 8:12 AM To: Richard Verwayen; FD Subject: RE: !SPAM! [Full-disclosure] Automated ssh scanning The kernel could be save. But with weak passwords, you are toast. Any automated tool would test guest/guest. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Richard Verwayen Sent: Thursday, August 26, 2004 6:08 AM To: 'FD' Subject: RE: !SPAM! [Full-disclosure] Automated ssh scanning On Thu, 2004-08-26 at 11:47, Yaakov Yehudi wrote:In spite of many reports to the contrary, Linux is _not_ secure bydefault.Did you harden it? There is a lot of documentation on theweb as tohow to go about it. YYHello Yaakov, This system was a pure debian woody none-production one with all services disabled - just ssh was left open in order to see for what purpose the scan was! Yes, there was a guest account with a weak passwort (guest) on it! And yes, they logged in and became root in no time. But I thought the kernel compiled from the latest debian woody kernel-source could be considered to be save. But I was wrong! So I posted the tools used by the attackers to this list and also to the debian security team. Richard _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: !SPAM! Automated ssh scanning, (continued)
- Re: !SPAM! Automated ssh scanning Richard Verwayen (Aug 26)
- Re: !SPAM! Automated ssh scanning Jan Luehr (Aug 26)
- Re: !SPAM! Automated ssh scanning Barry Fitzgerald (Aug 26)
- Re: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- Re: !SPAM! Automated ssh scanning Jan Luehr (Aug 26)
- Re: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- Re Automated ssh scanning Mister Coffee (Aug 26)
- RE: !SPAM! Automated ssh scanning Ron DuFresne (Aug 26)
- Re: !SPAM! Automated ssh scanning Tremaine (Aug 26)
- Re: !SPAM! Automated ssh scanning Richard Verwayen (Aug 26)
- Re: Automated ssh scanning Matt Zimmerman (Aug 26)
- Re: !SPAM! Automated ssh scanning sec-focus (Aug 26)
- Re: !SPAM! Automated ssh scanning andreas (Aug 27)
- Re: !SPAM! Automated ssh scanning Robert Jaroszuk (Aug 27)
- Re: Automated ssh scanning Matt Zimmerman (Aug 27)
- Re: !SPAM! Automated ssh scanning Chris Adams (Aug 30)