On Wed, 06 Jun 2012 14:21:13 -0300, francis picabia wrote: > On Wed, Jun 6, 2012 at 1:45 PM, Camaleón <noela...@gmail.com> wrote: >> On Wed, 06 Jun 2012 12:20:51 -0300, francis picabia wrote: >> >>> I think I've found a compromised user account. >> >> Wow :-( >> >> How they got into (unpatched application, password steal...)? > > In many cases, phishing - simply asking for the password as if it were a > legit request - is enough to get a password. In this case, I would > guess the user had a keylogger, but I don't really know yet. We run > denyhosts, so I'm pretty sure it wasn't by brute force.
Ugh, you should train your users against this kind of requests so they ignore them ;-( >>> This is on Debian but alien is installed. The attackers have not made >>> a move yet, but have done some tests and kept their connections to >>> scp/sftp to be unnoticed by last. >> >> Kill them and correct the vulnerability >:-) > > Well, we've changed all their passwords and we'll get in touch with the > user to advise. You look very relaxed with this (I'd be very stressed :-P) but despite you seem to have the situation under control, it won't harm running rkhunter or another specialized anti-rootik, just to be sure that all is fine and there are no additional holes in the system. >>> There is a directory .rpmdb uploaded to their home directory. How >>> could this be used to set up their software? I mean, is there a >>> special angle they are aiming at which achieves a result they would >>> not have realized by only using make on their sources? >> >> That directory can be normal if you have alien installed. But if they >> have access to a shell they can run the usual commands that are >> available for a standard user. > > Right. So this person was trying to stay under the radar via scp/sftp > and uploaded some stuff. When the day of the main action comes up and > they use ssh and shell, of what advantage could an especially set up > .rpmdb directory be to an ordinary user? Maybe I should ask on the > Redhat list... I can't guess any because an empty folder means not much (it could have been automatically created by your system if they just run the "alien" command). > I could see why it would be fun to run a honey pot. Uff, I envy the serene outlook you've taken for this :-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jqqckl$dr8$5...@dough.gmane.org
