On 01/26/2011 07:00 AM, Heinz Diehl wrote:
> On 26.01.2011, Wolfgang S. Rupprecht wrote:
>
>> The real issue is that there isn't a good activity log. While I can
>> install tripwire to watch for changed files
>
> I would have used "aide" instead of tripwire.
>
>> it probably won't tell me how the
On 01/26/2011 01:06 PM, Wolfgang S. Rupprecht wrote:
> Oh, I'm sure there was an initial user-level attack that I haven't found
> yet and probably won't.
Check /etc/passwd for users you don't recognize.
grep -v nologin /etc/passwd
will give you a list of users who can log in. The few who aren't
Marko Vojinovic writes:
> Shouldn't this be the other way around? I mean, ordinary user gets
> compromized
> first, and then root gets compromized later?
Oh, I'm sure there was an initial user-level attack that I haven't found
yet and probably won't. Apache will all that dynamic stuff run fro
Joe Zeff writes:
> On 01/25/2011 02:34 PM, Wolfgang S. Rupprecht wrote:
>>That lowered ssh security allowed a second intrusion at user
>> level (probably by password guessing)
>
> No need. Once they had root they could add a user and use that for their
> user-level work.
I understand. I be
On 26.01.2011, Wolfgang S. Rupprecht wrote:
> The real issue is that there isn't a good activity log. While I can
> install tripwire to watch for changed files
I would have used "aide" instead of tripwire.
> it probably won't tell me how they got in.
> Is there something that addresses that p
On Tuesday 25 January 2011 22:34:16 Wolfgang S. Rupprecht wrote:
> Once again I find myself trying to help someone piece together how an
> intruder managed to get into their system. The system was way out of
> date (FC6) so it is no surprise that they got compromised. What I can
> tell, the intru
On 01/25/2011 02:34 PM, Wolfgang S. Rupprecht wrote:
>That lowered ssh security allowed a second intrusion at user
> level (probably by password guessing)
No need. Once they had root they could add a user and use that for their
user-level work.
--
users mailing list
users@lists.fedoraproject
On 01/25/2011 04:34 PM, Wolfgang S. Rupprecht wrote:
>
> Once again I find myself trying to help someone piece together how an
> intruder managed to get into their system. The system was way out of
> date (FC6) so it is no surprise that they got compromised. What I can
> tell, the intruder manag
Once again I find myself trying to help someone piece together how an
intruder managed to get into their system. The system was way out of
date (FC6) so it is no surprise that they got compromised. What I can
tell, the intruder managed to get root which allowed them to remove the
iptables file a
