Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers
From: Warren Petrofsky <petrofsk () SAS UPENN EDU>
Date: Wed, 24 Jan 2007 19:58:24 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Smith-Sweeney wrote:
Hey Warren,

We've seen the same thing recently and we're pretty sure this is a
result of X11 sniffing.  A number of folks have done good writeups on
the subject, including:

The ease of (ab)using X11:
http://www.hackinglinuxexposed.com/articles/20040513.html
http://www.hackinglinuxexposed.com/articles/20040608.html

Other .EDUs guides (with much thanks to the respective authors):
http://www.stanford.edu/group/security/securecomputing/x-window/index.html
http://csociety.ecn.purdue.edu/~sigos/projects/ssh/forwarding/#X11
http://www.biac.duke.edu/library/documentation/xwin32/Security.html
...

Brian, thank you so much for this excellent response.  I think you have
hit the nail on the head, and the follow-ups from James Barlow at NCSA,
and Wes Young at UBuffalo have added very valuable details as well.

One thing that threw us, is that one user informed us that he only used
the compromised passwords over ssh.  I am guessing, now, that what
happened was that the user established an ssh session with X11
forwarding, opened an xterm and then proceeded to open further ssh
sessions from within the xterm, allowing the passwords to be captured
with X11 sniffing as you suggested.

Thanks again,

- --
Warren Petrofsky
petrofsk () sas upenn edu
Information Security Specialist
SAS Computing - University of Pennsylvania
215-573-0999
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFuACw3SthtV8kjpARAtLXAJ9Y/MbtMQgKPQR5baQt79d5XggE8gCfdxP/
wr/COchraXcGcyPGr6bk/Hc=
=aM/V
-----END PGP SIGNATURE-----

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault