Syslog hack
Page 1 of 1
Syslog hack
Syslog hack ( From http://fernandomagro.com/security/linux-social-engineering/ )
Imagine you’re at home managing your servers from your personal workstation and an attacker comes to you saying he compromised one of your servers. Furthermore, he tells you to check the /var/log/secure file for 5 login entries as root with your IP address that you haven’t done.
Jul 24 11:31:01 your-server sshd[9665]: Accepted publickey for root from 111.111.111.111 port 48479 ssh2
Jul 24 11:31:02 your-server sshd[9665]: Accepted publickey for root from 111.111.111.111 port 38161 ssh2
Jul 24 11:31:03 your-server sshd[9665]: Accepted publickey for root from 111.111.111.111 port 36182 ssh2
Jul 24 11:31:04 your-server sshd[9665]: Accepted publickey for root from 111.111.111.111 port 51273 ssh2
Jul 24 11:31:05 your-server sshd[9665]: Accepted publickey for root from 111.111.111.111 port 21511 ssh2
The first thing you will think is that the /var/log/secure file is unwritable and that he’s not only inside your server but also inside your personal workstation! That is wrong. In fact, you might be a victim of social engineering by an expert.
The technical explanation is that the /dev/log is writable by everyone, so anyone with the basic knowledge of C programming language (or other) can use the syslog() function to inject a line in the /var/log/secure or /var/log/messages file that makes it look like a ssh login or a su to root.
Imagine you’re at home managing your servers from your personal workstation and an attacker comes to you saying he compromised one of your servers. Furthermore, he tells you to check the /var/log/secure file for 5 login entries as root with your IP address that you haven’t done.
Jul 24 11:31:01 your-server sshd[9665]: Accepted publickey for root from 111.111.111.111 port 48479 ssh2
Jul 24 11:31:02 your-server sshd[9665]: Accepted publickey for root from 111.111.111.111 port 38161 ssh2
Jul 24 11:31:03 your-server sshd[9665]: Accepted publickey for root from 111.111.111.111 port 36182 ssh2
Jul 24 11:31:04 your-server sshd[9665]: Accepted publickey for root from 111.111.111.111 port 51273 ssh2
Jul 24 11:31:05 your-server sshd[9665]: Accepted publickey for root from 111.111.111.111 port 21511 ssh2
The first thing you will think is that the /var/log/secure file is unwritable and that he’s not only inside your server but also inside your personal workstation! That is wrong. In fact, you might be a victim of social engineering by an expert.
The technical explanation is that the /dev/log is writable by everyone, so anyone with the basic knowledge of C programming language (or other) can use the syslog() function to inject a line in the /var/log/secure or /var/log/messages file that makes it look like a ssh login or a su to root.
Sarath Nambiar- Posts : 2
Join date : 2010-12-31
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum