Date: Fri, 28 May 1999 18:27:04 -0700 From: <dpilgrim@uswest.net> To: Michael Richards <026809r@dragon.acadiau.ca> Cc: Dima <dima@nic.mmc.net.ge>, security@FreeBSD.ORG Subject: Re: System beeing cracked! Message-ID: <374F4268.F4993C8B@uswest.net> References: <Pine.GSO.4.05.9905282044021.14284-100000@dragon>
next in thread | previous in thread | raw e-mail | index | archive | help
Michael Richards wrote: > > On Fri, 28 May 1999, Dima wrote: > > > can hack into my system. He has ordinary account opened. So, he win! And > > i'am wondering if there are any security holes in 3.1? He login as > > himself via telnet, then he made him root (but he was not in wheel group > > and ofcourse did not know root password) and what is more interesting he > Finding an exploitable suid program would allow this to happen. > > > cracked several password. He made all this in 2 houres, and password was > > minimal 10 symbols lenght, containg different case and digits. I am > > using MD5 codding, and as I knew it is impossible. Has someone any idea > I would do 2 things: > a) take your master.passwd file and run crack on it yourself and see if it > finds the passwords itself. I played with crack once a long time ago and > based on what you've said about the cracked password, I belive it is more > likely that he > a) broke root > b) sniffed the passwords > > or maybe he shoulder surfed the passwords... I don't believe that md5 can > be cracked that quickly. I guess it depends on the randomness of the > password. "thisissEcur3" might take a week, but crack will still get it. > I think one of the first rules is to replace [il]=1 e=3 s=5 a=4 and all > the other commonly substituted letters. I wrote a password cracking/guessing program that has an option to do 'leet character substitutions, they're far too well known and thus not a very good way to make a password secure. Case-sensitive alphanumeric random character generation is far more secure, with an 8 character password having over 136.3 trillion possibilities assuming no repeat characters. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?374F4268.F4993C8B>