Re: Compromised user account, consequences?

From: Thorsten Küfer (thorsten.kuefer_at_uni-muenster.de)
Date: 01/12/05

  • Next message: Thorsten Küfer: "Re: Disabling X server access control" 
    Date: Wed, 12 Jan 2005 09:11:25 +0100

    Gandalf Parker wrote:
    > Thorsten Küfer <thorsten.kuefer@uni-muenster.de> wrote in
    >
    >>What harm could arise from this break in? He didn't get root rights as
    >>it seems. Is it sufficient to change the password?
    >
    > Thats usually good if you keep an eye on things. Alot can be done without
    > root but the bit of history you provided didnt seem to do it. The bot is
    > probabaly an IRC bot which would display a banner showing that he has
    > "owned" the box and can trade it for others.

    The two downloaded and executed packages were EnergyMech and a helper for
    staying on IRC after logout. EnergyMech was started as ./klogd to hide it.

    A few commands left out showed some typos, so it seems that the hacker
    wasn't a linux guru.

    > I would definetly get and run chkrootkit. If it shows that programs such as
    > ls, ps, find have been comrpomised then I can tell you how to find the
    > "hide these" files. Leaving the compromised ones in place is actually more
    > hardened than starting over.

    I got chkrootkit and it didn't find anything.

    I updated OpenSSL & OpenSSH to the newest versions and changed to public key
    authentification only.

    Thorsten Küfer

  • Next message: Thorsten Küfer: "Re: Disabling X server access control"