On Tue, May 02, 2006 at 09:33:48AM -0400, jared r r spiegel wrote:
>
> i am not asserting that the compromise-pack did not have
> a precompiled sshd binary for openbsd ( the prior hop
> up the compromise chain in this case was a debianlinux ),
> but if it didn't, it may not have rooted machine B.
to clarify that (coffee), without a compiler on B, the autobot
may not have been able to infect the sshd running on machine B
like it did. naturally it still had root level access since the
user whose UN/PW it got from the machine A had sudo on machine B,
but whether or not the autobot was smart enough to do anything
with is a different facet.
i find it worth mentioning that not using common passwords
between different hosts ( the user's password on A and B were
the same, in despite of the UN being different -- but iirc
it grabbed the right username for B out of .ssh/config )
would've made the autobot's attack unable to gain access
to B at all.
... not using common passwords and also never using passphraseless
keys for accessing a host on which that user has root/sudo...
not having a compiler on B in this case, again, would not
change the fact that we considered B to be compromised and
planned to offline it and reinstall/etc, but it, from looking
at the history file for the user and /var/log/secure for
the sudo commands, didn't have it in its bag of tricks to
be able to *infect* host B if B didn't have a compiler on it.
( and thus make B a further bastion for infection spreading
because anyone who ssh'd into B and hit 'yes' after
the "omg known host key changed" warning would have their
password then "harvested" and if their .ssh/* had login
info for other remote hosts on which they did have sudo,
the autobot would have probably been able to gain access
and possibly infect those hosts as well ).
to emphasize, this appears to have been in no way a
supervised attack targeted specifically at B; but rather
a blind infecto-bot following its success-path.
if we didn't have that little PIII/450 sitting next to the
machine now, for the purposes of bringing live, getting
patches onto, making .tgzs, and then copying them over to
untar onto host B, what bob beck criticized about would be
entirely accurate about me.
--
jared
[ openbsd 3.9-current GENERIC ( mar 15 ) // i386 ]
