[EMAIL PROTECTED] said: > of them. It's not a password problem either. He seems to have hacked > multiple of them within an hour of each other (his rootkit files > aren't very clever about covering up mtime). I just can't tell how he > got in.
Maybe he didn't use the same method for all of them. With the tty sniffer, he could have sniffed passwords from the first box he cracked if he was lucky enough to catch an admin su'ing. Do the timestamps support that theory? (This is why ssh keys are good -- no secret of any kind ever exists on the server, so even if it's compromised the attacker can't sniff a password or secret key and use that to get into other machines). Also, how many people ssh into these machines? He could have control of the desktop machine of someone who has user access, and then use local holes to gain root once logged in as that user. Jason -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
