From owner-freebsd-questions Tue Jul 31 12:57:19 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mtiwmhc26.worldnet.att.net (mtiwmhc26.worldnet.att.net [204.127.131.51]) by hub.freebsd.org (Postfix) with ESMTP id 0ABDD37B401 for ; Tue, 31 Jul 2001 12:57:17 -0700 (PDT) (envelope-from parv@worldnet.att.net) Received: from worldnet.att.net ([32.100.199.190]) by mtiwmhc26.worldnet.att.net (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP id <20010731195716.QCSJ18077.mtiwmhc26.worldnet.att.net@worldnet.att.net>; Tue, 31 Jul 2001 19:57:16 +0000 Received: by worldnet.att.net (Postfix, from userid 1001) id 7753E51004; Tue, 31 Jul 2001 16:01:19 -0400 (EDT) Date: Tue, 31 Jul 2001 16:01:19 -0400 From: parv To: Sys Admin Cc: freebsd-questions@freebsd.org Subject: Re: ssh to a compromised (probably) box Message-ID: <20010731160119.C633@moo.holy.cow> Mail-Followup-To: Sys Admin , freebsd-questions@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: ; from admin@cb21.co.jp on Tue, Jul 31, 2001 at 05:17:16PM +0900 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG on Jul 31 05:06, i got this from Sys... > > Hello, > > Just being curious. > > Considering the following scenario > > Box A (local) ----------------------> Box B (remote) > > Assume that box B has been compromised (root powers) > > If I ssh into box B from A, su to root and start investigating the > damage done, will the hacker be able to sniff the root password ? (during > su to root) > > [ Given that critical binaries (sshd, su ..) remained unchanged ] > curious... are there other ways to sniff which don't require kernel support, like option KTRACE or pseudo-devics bpf? -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message