On Wed, Jun 6, 2012 at 1:45 PM, Camaleón <noela...@gmail.com> wrote: > On Wed, 06 Jun 2012 12:20:51 -0300, francis picabia wrote: > >> I think I've found a compromised user account. > > Wow :-( > > How they got into (unpatched application, password steal...)?
In many cases, phishing - simply asking for the password as if it were a legit request - is enough to get a password. In this case, I would guess the user had a keylogger, but I don't really know yet. We run denyhosts, so I'm pretty sure it wasn't by brute force. >> This is on Debian but alien is installed. The attackers have not made a >> move yet, but have done some tests and kept their connections to >> scp/sftp to be unnoticed by last. > > Kill them and correct the vulnerability >:-) Well, we've changed all their passwords and we'll get in touch with the user to advise. >> There is a directory .rpmdb uploaded to their home directory. How could >> this be used to set up their software? I mean, is there a special angle >> they are aiming at which achieves a result they would not have realized >> by only using make on their sources? > > That directory can be normal if you have alien installed. But if they > have access to a shell they can run the usual commands that are available > for a standard user. Right. So this person was trying to stay under the radar via scp/sftp and uploaded some stuff. When the day of the main action comes up and they use ssh and shell, of what advantage could an especially set up .rpmdb directory be to an ordinary user? Maybe I should ask on the Redhat list... I could see why it would be fun to run a honey pot. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CA+AKB6ExPP4JFFaztnuSNL=4ljfacbhhihi9x3tr52yjo...@mail.gmail.com