can root spy remotely content of X server of another user?

[Witek Mozga]

Hi,

A friend of mine asked me that question and I`m not sure. Suppose we have a network of linux machines most with X servers running. Can root remotely capture the X server content of these machines somehow? Or maybe he can run a script that will save X data to a file and then re-create what windows were opened and what was on the monitor? Is that easy? If so is there any way to prevent X server spying?

[bigpaws]

Let's break down the questions:

Can root remotely capture the X server content of these machines somehow?

The short answer is yes, but not quite that easy. Root on one machine will not be root on the
other machine without permission. In order to access a remote X session you need to have
the Xserver port open, and if a firewall is running allowing access as well.

Or maybe he can run a script that will save X data to a file and then recreate what windows were opened and what was on the monitor?

Again you can do this, however it will take a little work to accomplish that. First you would need to background the xserver under root and then you can log everything that happened. Of course the logs
would become large quickly.

Is that easy?

The concept is easy, implementing it is not. First remote exploiting would create a problem if the users
follow easy and safe web browsing principles. If there is physical access then all bets are off. Anyone can own that machine.

If so is there any way to prevent X server spying

To prevent this attack would be to have a firewall in place, second watch your
logs (mutt point for a good attacker since it is the first place to fix) and also
monitor those that have accessed your machine ( again mutt for a good attack
since wtmp is the second thing to fix) also you can monitor your files and see if
any file is strange bad timestamps and such.

HTH

Bigpaws

[Witek Mozga]

To prevent this attack would be to have a firewall in place, second watch your
logs

Thanks for the answer. What I meant was more about what if a network admin (at someone`s work for example) is a nosy peeping guy and wants to monitor what people are doing instead of working Anyway I see that there is no easy solution for this or tool that can be downloaded from sourceforge.net and just installed.

[bigpaws]

What I meant was more about what if a network admin (at someone`s work for example) is a nosy peeping guy and wants to monitor what people are doing instead of working

If the administrator is monitoring your actions then he is working. An administrator should never
take the job lightly since anything that goes wrong is their fault.

The question that you have asked. If I am the administrator with all the passwords then it is
trivial to setup the monitoring your asking about. You can almost bet the bank that any
internet connection has some type of logging. That goes in hand with understanding the
attacks against the network are.

There are admins that abuse their power ( I am the powerful Oz) and then unrealistic users
(I should be able to do anything that I want) neither is a good thing. A balance and open
communication is important, since both groups need each other.

Bigpaws

[Triarius Fidelis]

A friend of mine asked me that question and I`m not sure. Suppose we have a network of linux machines most with X servers running. Can root remotely capture the X server content of these machines somehow? Or maybe he can run a script that will save X data to a file and then re-create what windows were opened and what was on the monitor? Is that easy? If so is there any way to prevent X server spying?

There is NetOp, which runs on Linux and fits that description to a T. I can't testify to its reliability, however, because I usually turn it off in WinDOS when I'm in class in the Services configuration...