So I setup a linux server and forgot to disable clear text ssh password or install denyhosts or enable any kind of password policy. Usually I have deny hosts and it works well. As a result of missing this vital step (yes I should automate the process) a user with a weak password has been hacked. Now on the assumption that the general permissions are good what can I do to work out what they did and remove it?
By the way I am a programmer by nature not a system admin so please be kind!
Answer
You can never be completely sure what they did on the user account. But places to start are the .*history files in the home directory.
My advice would be to copy out the known good/important data and then blow the rest away. The intruder could have left any sorts of nasty surprises in configuration files, .bashrc, etc.
You should also check to see if any files owned by the user are on the system and look for running processes:
# find / -user USERNAME
# ps -a -u USERNAME
For the future, I would advise turning on process accounting. You can then check previously run commands using 'lastcomm'.
No comments:
Post a Comment