[ale] so queit :)

JD jdp at algoloma.com
Mon Nov 3 17:16:30 EST 2014


Was at PhreakNIC the last few days.  Hopped onto a CTF competition network, my
fully patched laptop was hacked.

Fun, fun.

The passwd and group files had been replaced - completely - not just slightly
modified. To be fair, I hadn't hardened the box and wasn't using an IP that
should have been attacked.  Oh - and the / partition was read-only. The machine
had not been rebooted. Couldn't remount read-write with -o remount=rw.

Later that night, booted it up on a different network - 5 miles away - different
hotel and didn't see any issues. The passwd/hosts were back to normal.
Found a few services running that I should have shut off prior to leaving home.
 MiniDLNA, Prodogy, and a few others. It was more than ssh.

Oh - I did use DHCP to get on the network initially, then setup a static IP.
Someone at the CON said that debian/ubuntu bash wasn't 100% completely patched.

Compared critical files against a pre-CON backup this morning. Nothing was
different. Perhaps they used a bind-mount hack?

Rebuilding the machine now.

So - what has everyone else been doing?

On 11/03/2014 02:39 PM, Boris Borisov wrote:
> Hopefully all Linux boxes are working properly!
> 
> -- 


More information about the Ale mailing list