From owner-freebsd-questions  Tue Jul 31  2:17: 7 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mtiwmhc24.worldnet.att.net (mtiwmhc24.worldnet.att.net [204.127.131.49])
	by hub.freebsd.org (Postfix) with ESMTP id D52B037B401
	for <freebsd-questions@freebsd.org>; Tue, 31 Jul 2001 02:17:04 -0700 (PDT)
	(envelope-from parv@worldnet.att.net)
Received: from worldnet.att.net ([32.100.199.85])
          by mtiwmhc24.worldnet.att.net
          (InterMail vM.4.01.03.16 201-229-121-116-20010115) with ESMTP
          id <20010731091703.XDSF3707.mtiwmhc24.worldnet.att.net@worldnet.att.net>;
          Tue, 31 Jul 2001 09:17:03 +0000
Received: by worldnet.att.net (Postfix, from userid 1001)
	id 7B40850EE2; Tue, 31 Jul 2001 05:21:02 -0400 (EDT)
Date: Tue, 31 Jul 2001 05:21:02 -0400
From: parv <parv_@yahoo.com>
To: Sys Admin <admin@cb21.co.jp>
Cc: freebsd-questions@freebsd.org
Subject: Re: ssh to a compromised (probably) box
Message-ID: <20010731052102.A42700@moo.holy.cow>
Mail-Followup-To: Sys Admin <admin@cb21.co.jp>,
	freebsd-questions@freebsd.org
References: <Pine.BSF.4.33.0107311708530.37842-100000@ns1.cb21.co.jp>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.33.0107311708530.37842-100000@ns1.cb21.co.jp>; from admin@cb21.co.jp on Tue, Jul 31, 2001 at 05:17:16PM +0900
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

on Jul 31 05:06, i got this from Sys...
> 
>  Considering the following scenario
> 
>  Box A (local) ----------------------> Box B (remote)
> 
>  Assume that box B has been compromised (root powers)
> 
>  If I ssh into box B from A, su to root and start investigating the
> damage done, will the hacker be able to sniff the root password ? (during
> su to root)
> 

i may be wrong but i suppose use of ktrace would do it (on the sshd 
server)...

# ps -waux | grep sshd| egrep -v 'waux|grep' \
> awk '{ print $2 }' | xargs ktrace -p 

...then... 

# kdump -l

...by default, ktrace creates, & kdump reads, "ktrace.out" file in 
current directory; one can optionally supply alternate file path
for both; there may be an easier way...

-- 
 so, do you like word games or scrabble?
	 - parv

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message