How could this account have been cracked?
- From: "robb@xxxxxxx" <robb@xxxxxxx>
- Date: 25 Sep 2006 00:24:11 -0700
Hi,
I'm a longtime Linux admin, and I'm really puzzled by some unauthorized
use I just found:
I personally created an account with a somewhat uncommon spelling of a
name. I told no one about this account. I personally only once logged
into it from the console in my private office running KDE in order to
test it. It's possible I gave it a weak password. (I've since
forgotten it.)
Only seven days later, "last" shows someone ssh'ing into the account.
Inspection shows that this person really knew what they were doing -
attempting to install a rootkit, setting up a spam process, etc.
I have no idea how the existence of this account was detected.
Thanks for any possible ideas!
.
- Follow-Ups:
- Re: How could this account have been cracked?
- From: Ian Kilgore
- Re: How could this account have been cracked?
- From: Ayaz Ahmed Khan
- Re: How could this account have been cracked?
- From: Ertugrul Soeylemez
- Re: How could this account have been cracked?
- From: Ayaz Ahmed Khan
- Re: How could this account have been cracked?
- Prev by Date: Re: opening a port
- Next by Date: Re: opening a port
- Previous by thread: What rootkit is this? sockd/ gpm imaps2
- Next by thread: Re: How could this account have been cracked?
- Index(es):
