Comment 0 for bug 58074

Revision history for this message
Brian Ealdwine (eode) wrote :

Binary package hint: openssh-server

Granted, I should have been paying attention.

But.

I hadn't changed the root password from initial install - I just use sudo.

Each character of a password is one of over 60 possibilities.

..so a 3-character password entails over 200,000 possibilities.
..which gives them a 23% chance of having cracked my system in the number of tries they did - if it was a 3-character password. 4 character password makes it a .3% chance. 5 character password makes it a .00006% chance. You get the picture.

so, some information:
I'm running Kubuntu LTS, with "OpenSSH_4.2p1 Debian-7ubuntu3, OpenSSL 0.9.8a"

and, some questions:
..why was my system hacked in only ~50,000 tries? ..my own idiocy aside -- Is there a bug in openssh-server, or some other vulnerability I don't know about? ..if so, is there a patch coming out soon?
..I thought there was no password/no potential for login other than 'sudo bash' or 'sudo su' for the root account in (k)Ubuntu. Is this not the case?
..why does openssh-server in (k)Ubuntu allow root logins by default, particularly with the whole "rootless" idea going on?
..and, of course.. What potentially useful information can I provide to help this get fixed?

Please don't just blow me off on this - I think there's an actual issue here. If you do, please give solid reason why you think it's probable that someone hacked my system in that time.

--