Cracked

[John]

Scott James Remnant wrote:
> On Mon, 2004-10-18 at 15:20 +0800, John wrote:
> 
> 
>>One can mount partitions etc with various security-enhancing options 
>>such as ro,nodev,noexec etc. To do so requires more than the 
>>Ubuntu-standard one filesystem.
>>
> 
> Easy for any vaguely competent cracker to remove; most rootkits I've
> seen do a "mount -o rw,exec,remount -a" before beginning.

Perhaps, but by your admission, not all (and I don't think mine does, 
though it does us chattr rather a lot).

Even so, that remount can be easily defeated (and not just by using a 
r-o filesystem).

> 
> 
>>Omitting gcc and other program development tools from a server is 
>>sensible. Make is sensible (sendmail and ypserv use them), bug gcc, g++, 
>>-dev packages? I don't think so.
>>
> 
> As you've already discovered, most crackers know how to use APT.

Actually, apt wasn't used (wget was). This cracker was operating on a RH 
system, but running on Woody:-)




> One of my boxes was once compromised through the samba daemon, the most
> amusing thing was the cracked "helpfully" upgraded after afterwards for
> me.
> 
> 
>>One of the other possible countermeasures is to detect dictionary 
>>attacks and stop them cold.
>>
> 
> Another is not to use passwords crackable by dictionary attacks.
> Personally I make up little phrases or rhymes, and play them out on the
> keyboard.  Punctuation is great for this: "&" for "and", "!" for "not",
> etc.

As I've already mentioned, people will still not do that. That is why 
I've proposed a coutnermeasure to dictionary attacks.