HPE Community
Operating System - Linux
1753939 Members
9094 Online
108811 Solutions
New Discussion юеВ

Re: How did they do this?

 
SOLVED
Go to solution
Gordon Morrison_1
Regular Advisor

тАО01-19-2005 02:52 AM

тАО01-19-2005 02:52 AM

Re: How did they do this?

Just because you have disabled (direct) root logins doesn't prevent someone from logging in, then using su to gain root permissions.

I would suspect an inside job, then start looking at the logs from other hosts from which they could have logged into this one from. (I presume you know approximately when this happened?)

They wiped their fingerprints from the house they burgled, but did they wipe their footprints from the path outside?
What does this button do?
0 Kudos
Rick Garland
Honored Contributor

тАО01-19-2005 03:37 AM

тАО01-19-2005 03:37 AM

Re: How did they do this?

Hi Gordon:

I did have the PAM setup to only allow root logins to members of the wheel group. If this was an inside job, then this would have been done by a wheel group member.

Even if I gave out the root passwd to the world, if you are not a member of the wheel group you can not access the root account unless you are sitting at the console in a secure data center.

As to looking for outside footprints, there is no other access from other systems. Exception, members of the wheel group have access to the system from their local desktops but firewalls prevent access from any other server within the data center. Access to the system was gained from the outside via VPN, else you hit the URL in your web browser.
0 Kudos
Paul Cross_1
Respected Contributor

тАО01-19-2005 04:21 AM

тАО01-19-2005 04:21 AM

Re: How did they do this?

check all suid files, not just shells. suid vi is common. vi /etc/passwd is very simple...
0 Kudos
Don_89
Trusted Contributor

тАО01-20-2005 01:41 AM

тАО01-20-2005 01:41 AM

Re: How did they do this?

I would run nessus against the box to point out vulnerabilities. Also, setup syslog to log to a different server so if it happens again, you'll at least have an IP address to track down..


Also, someone posted that the passwords were possibly sniffed. This isn't true if your using SSH..
0 Kudos
Rick Garland
Honored Contributor

тАО01-20-2005 02:03 AM

тАО01-20-2005 02:03 AM

Re: How did they do this?

Hi all:

Its been over a year since this incident. I have upgraded all packages. No further incidents have occurred.

Many thanks to all the ideas. I am keeping track of each and every one of these ideas as my baseline for setting up new systems.

I must close this thread now.

Again, thanks
0 Kudos
Rick Garland
Honored Contributor

тАО01-20-2005 02:04 AM

тАО01-20-2005 02:04 AM

Re: How did they do this?

Thanks to all!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.