Jump to content

.sniffer file with plain text passwords! [solved]

Guest MoMule

By Guest MoMule
in Security

 Share

Recommended Posts

Guest MoMule

Guest MoMule

Posted
Posted

Recently I have been receiving emailed logs from my firewall (9.2) showing that:

 

Security Warning: World Writable files found :

-/usr/share/locale/dk/language/.sniffer

 

When I view the .sniffer file, it shows:

 

/bin/login -- 'user name' :

Password: 'user password'

 

This file lists every logon attempt, including incorrect passwords - all in plain text!

 

Does this look like a hacker job? How do I find out what is running this file, and better yet, how do I stop and remove it!

 

Thanks for your help,

 

MoMule

Link to comment
Share on other sites
axel_2078 frequent

axel_2078

Posted
Posted

I couldn't get that link to load. Why would you need to reload? Why not just change the root and user passwords? If that file reflects the changes, can't you just change the username and password in the file to gibberish?

Link to comment
Share on other sites
Havin_it Awesome

Havin_it

Posted
Posted

Because if someone's got root on your system, they may read your new password from that file before you even get the chance to 'obfuscate' it. And who knows what other nastiness...!

 

Face it - you may think being aware you've been hacked puts you one step ahead, it doesn't. It just puts you one less step behind. Once they get root, think what they can do: create new users with innocuous names like 'webclient' or something, with root group priviliges. They could make several of these if they expect you to be a strong opponent. And as long as they can hang onto just one such account, your system is, I'm afraid, 0wn3d.

 

Reinstall is the ONLY way to be certain of escape, unless you know every file and user-account on your system like the back of your hand (don't forget the binaries!). Hell, it's quicker to reinstall Mandrake than just think about that kind of investigative task.

Link to comment
Share on other sites
  • 4 weeks later...
Guest MoMule

Guest MoMule

Posted
Posted

Well, I read the link (it worked for me the day it was posted), and found the files to remove. I then built a new firewall (with less ports opened, and no more winbind/samba/2000 server configuration).

 

I left the cracked firewall in place to see what would happen (hence why I never responded to this thread until now).

 

About three weeks later, my logs caught someone using a user's login and su -'ing to root to install gwee and a couple of other things on the firewall. This user's account had been used previously to run ftp commands (.bash_history file)...

 

So the poster that typed:

 

"Face it - you may think being aware you've been hacked puts you one step ahead, it doesn't. It just puts you one less step behind. Once they get root, think what they can do: create new users with innocuous names like 'webclient' or something, with root group priviliges. They could make several of these if they expect you to be a strong opponent. And as long as they can hang onto just one such account, your system is, I'm afraid, 0wn3d."

 

...is absolutely correct!

 

Thanks for the link devries, and the help!!

 

MoMule

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...