OpenSSH Trojan

Matthias Benkmann matthias at winterdrache.de
Thu Aug 1 14:44:27 PDT 2002


On Thu, 1 Aug 2002 15:35:14 -0400 Dan Eriksen <eriksen at canada.com> wrote:

> On Thu, 1 Aug 2002 20:18:12 +0200
> Matthias Benkmann <matthias at winterdrache.de> wrote:
> 
> > Lesson to learn: NEVER EVER build as root.
> 
> 	If an attacker has any brains, wouldn't he add his exploit to the
> 	make install section? 

Actually, if you follow the more_control hint, you don't even make install
as root. But not building as root is at least a start. This issue is
proof. There ARE hackers (well, probably just a script kiddie in this
case) too stupid to do more than add an exploit (probably not written by
the kiddie) to a makefile. A moderately competent hacker would have put
exploit code into the actual sshd and/or ssh binary. But the fact that
more severe threats do exist does not justify ignoring the lesser evils.
That would be just like saying that having a root password is pointless if
people can boot a machine with a floppy. Having a root password protects
against many attacks by wanna-be hackers (i.e. the average student) and in
a lot of environments these are the only attacks you're worried about
99.9% of the time.

MSB

-- 
An optimist thinks that this is the best possible world.
A pessimist fears that this is true.

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list