From owner-freebsd-questions Thu Aug 2 7:24:24 2001 Delivered-To: freebsd-questions@freebsd.org Received: from ns1.cb21.co.jp (b3.lan.neweb.ne.jp [210.157.128.252]) by hub.freebsd.org (Postfix) with SMTP id 6529E37B401 for ; Thu, 2 Aug 2001 07:24:19 -0700 (PDT) (envelope-from admin@cb21.co.jp) Received: (qmail 54848 invoked from network); 2 Aug 2001 23:24:18 +0900 Received: from localhost.cb21.co.jp (HELO localhost) (127.0.0.1) by localhost.cb21.co.jp with SMTP; 2 Aug 2001 23:24:18 +0900 To: kris@obsecurity.org Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ssh to a compromised (probably) box From: Sys Admin In-Reply-To: <20010731020208.A18704@xor.obsecurity.org> References: <20010731020208.A18704@xor.obsecurity.org> X-Mailer: Mew version 1.94.2 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010802232418U.admin@cb21.co.jp> Date: Thu, 02 Aug 2001 23:24:18 +0900 X-Dispatcher: imput version 20000228(IM140) Lines: 31 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thanks Kris and parv. Bit frighening! Time to reinstall :( (sorry for the delayed response) Tad. > On Tue, Jul 31, 2001 at 05:17:16PM +0900, Sys Admin wrote: > > > > Hello, > > > > Just being curious. > > > > Considering the following scenario > > > > Box A (local) ----------------------> Box B (remote) > > > > Assume that box B has been compromised (root powers) > > > > If I ssh into box B from A, su to root and start investigating the > > damage done, will the hacker be able to sniff the root password ? (during > > su to root) > > > > [ Given that critical binaries (sshd, su ..) remained unchanged ] > > Yes. They can do anything on that box now. > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message