On 12/27/05, Dave Feustel <[EMAIL PROTECTED]> wrote: > On Monday 26 December 2005 22:12, J.C. Roberts wrote: > > On Mon, 26 Dec 2005 11:39:22 -0500, Dave Feustel > > <[EMAIL PROTECTED]> wrote: > > > > >Don't use sudo in any konsole session. > > > > Dave, > > > > I don't think you're nuts but the fear mongering without providing any > > proof or details of a compromise is questionable at best. > > > > If you really were compromised while running OpenBSD, you aren't the > > first and probably won't be the last. As for leaving a terminal window > > open with root privs, sudo or su, it has *always* been a bad idea: > > I never run root any more. Just long enough to install, add a user or two, > and set up sudo. I have added a large number of packages and also > compiled and installed other software not in the OpenBSD package > collection. So I may have introduced a few holes at the user level myself. > > I have constantly been looking for signs of changes only possible via root. > So far I have almost been able to convince myself that the intruder is doing > whatever with my user privileges only.
Have you done any intrusion detection beyond this? What's your network topology? What is your first impression of how the intruder is getting in? Is it another local user, i.e. one who already has an account on your box? If there are no other local users on your box are you monitoring connections to the possibly exploited system from another system? Greg
