Re: Did any of you ever see a machine compromised by remote root? (Was Re: Allowing remote root login seems to be bad.)

Hash: SHA1

Ron Arts wrote:
Even though the root password was strong?


In the wild? Yep. Although indirectly.

What happened was some one got a hold of a backup and restored the /
partition to a system for which they owned root, then did a password
crack against the /etc/shadow file. They apparently got the backup
through compromising a user account, then finding a file that had a
backup stored in an insecure directory.

Doing pen testing, I have found directories on systems where the average
user could find files of cracked passwords (including root) that
internal security people had created while testing password strength,
and I have found previous pen test reports that disclosed cracked root
passwords that were still the same password a year or more later. Worse,
I have found NIS, NIS+, and LDAP directory services that contain a root
password common to all systems.

If you can crack ANY account on a system, you can probably get to root
sooner rather than later.

When doing pen testing or ethical hacking, it is rare that I cannot
recover the root password hashes; then it is just a matter of time until
I own root. Worse, it is all too often that I am able to grab root
passwords sent over the network in clear text using telnet, ftp, ad.
nauseam. (See the DSniff tool kit, for example.)

Jon Kibler
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253

Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla -


Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

Relevant Pages

  • Re: Setting permissions of ssh access
    ... my main goal is to use rsync-backup once I have a good test case going. ... It struck me as odd as well, and I am going to go back to pushing the data from the machines out to the single backup machine, which I can section off to not even be accessible to the outside world. ... As I go through this process, I will document it, as there were some pretty strange thins happening with sshd_conf and not letting me have a root login. ... static command on the backup server's side, ...
  • [Summary] ufsdump, solaris 9 & RBAC not working correctly
    ... server, and I don't want to have root logging in on the remote server, I ... etc. and key exchange setup for backup user. ... ufsdump, solaris 9 & RBAC not working correctly ... I thought suid was suid. ...
  • Re: Can "/etc/rc.conf" be replaced with a symlink?
    ... > I changed fstab so that my data partition would supposely mount ... > before root, moved/symlink'd rc.conf, and rebooted. ... and you can only work from root to recover (which doesn't get hosed as ... though you can do a standard install and untar a backup ...
  • Re: accident: "rm core *"
    ... >> put my backups on a network disk, but root does not have permission... ... So I ran reoback as myself. ... > designed only to backup either locally or via FTP, ...
  • Re: 100% used / file system. Help!
    ... Now log in as root and go to your /var/log directory. ... duplicate config files in the directory and logrotate ... I have no backup of my /. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...