Jump to content

.sniffer file with plain text passwords! [solved]


Guest MoMule
 Share

Recommended Posts

Guest MoMule

Recently I have been receiving emailed logs from my firewall (9.2) showing that:

 

Security Warning: World Writable files found :

-/usr/share/locale/dk/language/.sniffer

 

When I view the .sniffer file, it shows:

 

/bin/login -- 'user name' :

Password: 'user password'

 

This file lists every logon attempt, including incorrect passwords - all in plain text!

 

Does this look like a hacker job? How do I find out what is running this file, and better yet, how do I stop and remove it!

 

Thanks for your help,

 

MoMule

Link to comment
Share on other sites

Because if someone's got root on your system, they may read your new password from that file before you even get the chance to 'obfuscate' it. And who knows what other nastiness...!

 

Face it - you may think being aware you've been hacked puts you one step ahead, it doesn't. It just puts you one less step behind. Once they get root, think what they can do: create new users with innocuous names like 'webclient' or something, with root group priviliges. They could make several of these if they expect you to be a strong opponent. And as long as they can hang onto just one such account, your system is, I'm afraid, 0wn3d.

 

Reinstall is the ONLY way to be certain of escape, unless you know every file and user-account on your system like the back of your hand (don't forget the binaries!). Hell, it's quicker to reinstall Mandrake than just think about that kind of investigative task.

Link to comment
Share on other sites

  • 4 weeks later...
Guest MoMule

Well, I read the link (it worked for me the day it was posted), and found the files to remove. I then built a new firewall (with less ports opened, and no more winbind/samba/2000 server configuration).

 

I left the cracked firewall in place to see what would happen (hence why I never responded to this thread until now).

 

About three weeks later, my logs caught someone using a user's login and su -'ing to root to install gwee and a couple of other things on the firewall. This user's account had been used previously to run ftp commands (.bash_history file)...

 

So the poster that typed:

 

"Face it - you may think being aware you've been hacked puts you one step ahead, it doesn't. It just puts you one less step behind. Once they get root, think what they can do: create new users with innocuous names like 'webclient' or something, with root group priviliges. They could make several of these if they expect you to be a strong opponent. And as long as they can hang onto just one such account, your system is, I'm afraid, 0wn3d."

 

...is absolutely correct!

 

Thanks for the link devries, and the help!!

 

MoMule

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...