Re: [K12OSN] I got hacked.........
Julius Szelagiewicz (julius@turtle.com)
Tue, 9 Apr 2002 20:46:51 -0400 (EDT)
Michael,
jim is right - start from scratch, and think hard if you really
need sshd configured to use passwords. it is a pain in the butt to go ony
with keys posted to authorized_keys files, but it is a lot safer. you may
also rethink the frequency of changes of root password. julius
On Tue, 9 Apr 2002, Michael Cortes wrote:
> It would appear that someone used SSH to get into my system. I decided to
> install sshd and stop telnet'ing because of the security risk, as soon as I do
> it, someone got in.
>
> Anyhow, here is what I suspect so far:
>
> 1. when they got in, they created the user "cgi"
> 2. they added "unset HISTFILE" and "unset HISTSAVE" to the root's
> .bash_profile. This casused root to not save the history so I couldn't see
> what was run as root.
> 3. logging is not happening. I have checked my log files and the last entries
> are about the time I first detected the break in.
>
> So my questions are:
>
> Did I do right by deleting the cgi user? Was this user necessary?
> How do I turn on logging back on? I have no idea where to look.
> What is a good/quick way to tell which users have no password set?
>
> Thank you,
>
>
>
>
> Michael Cortes
> Fort LeBoeuf School District
> 34 East 9th Street
> PO Box 810
> Waterford PA 16411-0810
> 814.796.4795
> Fax1 814.796.3358
> Fax2 978-389-1258
>
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN@redhat.com
> https://listman.redhat.com/mailman/listinfo/k12osn
> For more info see
>
_______________________________________________
K12OSN mailing list
K12OSN@redhat.com
https://listman.redhat.com/mailman/listinfo/k12osn
For more info see