tech-security: Re: strange but true.

Subject: Re: strange but true.
To: Tony Hernadez <tony@cne-inc.com>
From: Gavan Fantom <gavan@coolfactor.org>
List: tech-security
Date: 09/05/2000 14:07:54
  by mail.netbsd.org with SMTP; 5 Sep 2000 13:09:06 -0000
	([127.0.0.1] helo=paper.durnsford.net ident=gavan)
	by cool.coolfactor.org with esmtp (Exim 3.03 #1)
	id 13WITF-00055h-00
	for tech-security@netbsd.org; Tue, 05 Sep 2000 14:09:01 +0100
	by paper.durnsford.net with local-esmtp (Exim 3.03 #1)
	id 13WISA-0001cd-00; Tue, 05 Sep 2000 14:07:54 +0100
Date: Tue, 5 Sep 2000 14:07:54 +0100 (BST)
From: Gavan Fantom <gavan@coolfactor.org>
To: Tony Hernadez <tony@cne-inc.com>
cc: "'tech-security@netbsd.org'" <tech-security@netbsd.org>
Subject: Re: strange but true.
In-Reply-To: <E10D54F27C6AD11196EF00600812C5CF067E8C@CNENT>
Message-ID: <Pine.NEB.4.10.10009051356200.6115-100000@paper.durnsford.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Tue, 5 Sep 2000, Tony Hernadez wrote:

> I have a 1.4.2 i386 machine running as an apache web server where I work.
> This morning I come in to see a bunch of failed login attempts on the
> screen. Thats no big deal really.. it happens all the time. But this time
> the person tried to login as root and  tony which are the only two accounts
> ever used on the machine. How did this happen ? How does someone find out
> the users on your machine ? The only inetd services that are running are ftp
> and telnet. root cannot log in from a network tty. What gives ?

Maybe it was just a lucky guess or the attacker was called Tony. :-)

Seriously though, if you're sure that there's no way to remotely find out
usernames from your machine (are there any non-inetd services running
other than apache?), the two most logical things to consider are:

1) That the attacker has noticed that there is a person called Tony
somehow administratively connected to the machine. Are you listed by name
on the web page? Or in whois? It's obviously commonplace for people to use
their names as login names, so that's a logical place to start for an
attacker.

2) That the attacker has compromised another box on your network (or
between your network and where you telnet/ftp from), and has been packet
sniffing. I have to admit though, that this seems unlikely given that the
attacker hasn't been able to log in, as packet sniffing would normally
reveal the password you use as well. I don't suppose you use onu time
passwords?

There is a third (unlikely but possible) possibility:

3) That the attacker is someone who knows you.

Unless you use one time passwords, I'd be inclined to suspect the first.

-- 
Gillette - the best a man can forget