Date: Tue, 31 Jul 2001 05:21:02 -0400 From: parv <parv_@yahoo.com> To: Sys Admin <admin@cb21.co.jp> Cc: freebsd-questions@freebsd.org Subject: Re: ssh to a compromised (probably) box Message-ID: <20010731052102.A42700@moo.holy.cow> In-Reply-To: <Pine.BSF.4.33.0107311708530.37842-100000@ns1.cb21.co.jp>; from admin@cb21.co.jp on Tue, Jul 31, 2001 at 05:17:16PM %2B0900 References: <Pine.BSF.4.33.0107311708530.37842-100000@ns1.cb21.co.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
on Jul 31 05:06, i got this from Sys...
>
> Considering the following scenario
>
> Box A (local) ----------------------> Box B (remote)
>
> Assume that box B has been compromised (root powers)
>
> If I ssh into box B from A, su to root and start investigating the
> damage done, will the hacker be able to sniff the root password ? (during
> su to root)
>
i may be wrong but i suppose use of ktrace would do it (on the sshd
server)...
# ps -waux | grep sshd| egrep -v 'waux|grep' \
> awk '{ print $2 }' | xargs ktrace -p
...then...
# kdump -l
...by default, ktrace creates, & kdump reads, "ktrace.out" file in
current directory; one can optionally supply alternate file path
for both; there may be an easier way...
--
so, do you like word games or scrabble?
- parv
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010731052102.A42700>