From owner-freebsd-security  Wed Dec  1 14:12:29 1999
Delivered-To: freebsd-security@freebsd.org
Received: from kerouac.deepwell.com (deepwell.com [209.63.174.12])
	by hub.freebsd.org (Postfix) with SMTP id 9DE3D14F94
	for <freebsd-security@freebsd.org>; Wed,  1 Dec 1999 14:12:25 -0800 (PST)
	(envelope-from freebsd@deepwell.com)
Received: (qmail 29987 invoked from network); 1 Dec 1999 23:03:40 -0000
Received: from proxy.dcomm.net (HELO terry) (209.63.175.10)
  by deepwell.com with SMTP; 1 Dec 1999 23:03:40 -0000
Message-Id: <4.2.0.58.19991201140744.014d5dd0@mail1.dcomm.net>
X-Sender: freebsd@mail.deepwell.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 
Date: Wed, 01 Dec 1999 14:12:09 -0800
To: Jason Hudgins <thanatos@incantations.net>,
	freebsd-security@freebsd.org
From: Deepwell Internet <freebsd@deepwell.com>
Subject: Re: logging a telnet session
In-Reply-To: <Pine.BSF.4.10.9912011557010.20827-100000@eddie.incantation
 s.net>
References: <Pine.BSF.4.21.9912011444500.51911-100000@anchovy.orem.iserver.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Paul also suggested leaking the cleartext before encryption which is also 
good.  It would roughly double the local bandwidth used by him, but I can't 
doubling telnet/ssh would be a big deal.  a netstat may give this away, but 
you could use udp to send the plaintext to the logging host.  As for 
writing this from scratch, you may be able to find something like this in a 
rootkit.


At 04:00 PM 12/1/99 -0600, you wrote:
> > No.  Remember, you're the one calling the shots.  Go ahead and trojan your
> > own sshd to leak session keys so you can decrypt the sniffed sessions, or
> > even better, have it leak the cleartext before encrypting it.
>
>Well, I think it would be easier to just trojanize some binaries on
>the cracked box (like ps) and make the logging process invisible then to
>trojan sshd AND write a decryption client of sorts.
>
> > The original poster wanted to watch a telnet session anyway.
>
>Yeah, I was the original poster, I'm just talking theory now. =)
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message