On 26.01.2011, Wolfgang S. Rupprecht wrote:
The real issue is that there isn't a good activity log. While I can
install tripwire to watch for changed files
I would have used aide instead of tripwire.
it probably won't tell me how they got in.
Is there something that addresses that
Joe Zeff j...@zeff.us writes:
On 01/25/2011 02:34 PM, Wolfgang S. Rupprecht wrote:
That lowered ssh security allowed a second intrusion at user
level (probably by password guessing)
No need. Once they had root they could add a user and use that for their
user-level work.
I understand.
Marko Vojinovic vvma...@gmail.com writes:
Shouldn't this be the other way around? I mean, ordinary user gets
compromized
first, and then root gets compromized later?
Oh, I'm sure there was an initial user-level attack that I haven't found
yet and probably won't. Apache will all that
On 01/26/2011 01:06 PM, Wolfgang S. Rupprecht wrote:
Oh, I'm sure there was an initial user-level attack that I haven't found
yet and probably won't.
Check /etc/passwd for users you don't recognize.
grep -v nologin /etc/passwd
will give you a list of users who can log in. The few who aren't
Once again I find myself trying to help someone piece together how an
intruder managed to get into their system. The system was way out of
date (FC6) so it is no surprise that they got compromised. What I can
tell, the intruder managed to get root which allowed them to remove the
iptables file
On 01/25/2011 04:34 PM, Wolfgang S. Rupprecht wrote:
Once again I find myself trying to help someone piece together how an
intruder managed to get into their system. The system was way out of
date (FC6) so it is no surprise that they got compromised. What I can
tell, the intruder managed
On 01/25/2011 02:34 PM, Wolfgang S. Rupprecht wrote:
That lowered ssh security allowed a second intrusion at user
level (probably by password guessing)
No need. Once they had root they could add a user and use that for their
user-level work.
--
users mailing list
On Tuesday 25 January 2011 22:34:16 Wolfgang S. Rupprecht wrote:
Once again I find myself trying to help someone piece together how an
intruder managed to get into their system. The system was way out of
date (FC6) so it is no surprise that they got compromised. What I can
tell, the intruder