From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OifB7-0007ui-Uo for garchives@archives.gentoo.org; Tue, 10 Aug 2010 03:07:02 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C2799E0CA3; Tue, 10 Aug 2010 03:06:39 +0000 (UTC) Received: from mail-wy0-f181.google.com (mail-wy0-f181.google.com [74.125.82.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 85AE6E0CD3 for ; Tue, 10 Aug 2010 03:06:39 +0000 (UTC) Received: by wyf28 with SMTP id 28so6483725wyf.40 for ; Mon, 09 Aug 2010 20:06:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type; bh=hFyOSK4TQRNx7dlxnSao8pEZQot/e3w/9lyQEogEAhc=; b=MykJysEt3zWHIHNBJXtkqjD28A0MOTeYgOwUwley9nPu0s8KIOVP0Td6FDsBXwOHD9 DkQo5z8xoeRdliX+YtC2qITI+wMohJ+TDvUIhaWp3BoG+0T1kaX257n0Ids4QKR83Xr6 EoQoBxhPT72pzCSLgGro8FSQSUU5LZrihxfFM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=nQVVvgU7Q6LhC4qg3haAWBjwOul575zEmbPYcAtnV84cnfbcGO/iQ9dvEWQvSe+d6D oCkw91szLwTASjgLeg/npV2r8IIA8yRzKqbyP9urcHxJv64Er01wTuZ8E6CLVKClpQhM 42+emJroJtQHotzkPpzxVkF4DXDkA7auM0OLI= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.227.133.7 with SMTP id d7mr14379088wbt.54.1281409598919; Mon, 09 Aug 2010 20:06:38 -0700 (PDT) Received: by 10.216.179.211 with HTTP; Mon, 9 Aug 2010 20:06:38 -0700 (PDT) In-Reply-To: References: Date: Tue, 10 Aug 2010 13:06:38 +1000 Message-ID: Subject: Re: [gentoo-user] Rooted/compromised Gentoo, seeking advice From: Adam Carter To: gentoo-user@lists.gentoo.org Content-Type: multipart/alternative; boundary=001485f723d0f4963d048d6f6b9f X-Archives-Salt: 4080167e-b2bd-4709-87a3-1970d73e717a X-Archives-Hash: 031d9846c617c3b207ef545676619422 --001485f723d0f4963d048d6f6b9f Content-Type: text/plain; charset=ISO-8859-1 > Alternatively I was running vulnerable/compromised software. My box > has sshd running, root login in ssh is not allowed, and pubkey only > logins (no passwords). It is behind a wireless router but port 22 is > open and pointing to this box, and a few others needed by other > applications. So I will check out which keys exist on the compromised > machine and make sure I recognize them all. I'll also need to check > the status of any other computer my key is stored on (a mix of linux & > windows, and my mobile phone). Sigh... > Since you're sshd setup is pretty secure i'd look at other network services. What else was running, and were there any servers that were only available from the local net (or were less protected from connections from the local net) than the Internet? That's the only case where a router compromise would assist in attacking your gentoo box. There have been some web browser based attacks that have come out against routers recently. They run the attack on your browser (cross site scripting IIRC) to get access to the web interface of the router because that is typically not available via the Internet side interface. Then then run a password guessing attack. Did your router have a strong password? --001485f723d0f4963d048d6f6b9f Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Alternatively I was running vulnerable/compromised software. My box
has sshd running, root login in ssh is not allowed, and pubkey only
logins (no passwords). It is behind a wireless router but port 22 is
open and pointing to this box, and a few others needed by other
applications. So I will check out which keys exist on the compromised
machine and make sure I recognize them all. I'll also need to check
the status of any other computer my key is stored on (a mix of linux &<= br> windows, and my mobile phone). Sigh...

Since you&= #39;re sshd setup is pretty secure i'd look at other network services. = What else was running, and were there any servers that were only available = from the local net (or were less protected from connections from the local = net) than the Internet? That's the only case where a router compromise = would assist in attacking your gentoo box.

There have been some web browser based attacks that have come out again= st routers recently. They run the attack on your browser (cross site script= ing IIRC) to get access to the web interface of the router because that is = typically not available via the Internet side interface. Then then run a pa= ssword guessing attack. Did your router have a strong password?
--001485f723d0f4963d048d6f6b9f--