Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 01 Dec 1999 14:12:09 -0800
From:      Deepwell Internet <freebsd@deepwell.com>
To:        Jason Hudgins <thanatos@incantations.net>, freebsd-security@freebsd.org
Subject:   Re: logging a telnet session
Message-ID:  <4.2.0.58.19991201140744.014d5dd0@mail1.dcomm.net>
In-Reply-To: <Pine.BSF.4.10.9912011557010.20827-100000@eddie.incantation s.net>
References:  <Pine.BSF.4.21.9912011444500.51911-100000@anchovy.orem.iserver.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Paul also suggested leaking the cleartext before encryption which is also 
good.  It would roughly double the local bandwidth used by him, but I can't 
doubling telnet/ssh would be a big deal.  a netstat may give this away, but 
you could use udp to send the plaintext to the logging host.  As for 
writing this from scratch, you may be able to find something like this in a 
rootkit.


At 04:00 PM 12/1/99 -0600, you wrote:
> > No.  Remember, you're the one calling the shots.  Go ahead and trojan your
> > own sshd to leak session keys so you can decrypt the sniffed sessions, or
> > even better, have it leak the cleartext before encrypting it.
>
>Well, I think it would be easier to just trojanize some binaries on
>the cracked box (like ps) and make the logging process invisible then to
>trojan sshd AND write a decryption client of sorts.
>
> > The original poster wanted to watch a telnet session anyway.
>
>Yeah, I was the original poster, I'm just talking theory now. =)
>
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.0.58.19991201140744.014d5dd0>