On Thu, Feb 5, 2015 at 4:39 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> >> >> Yes, /etc/shadow would have always been readable only by root by >> default. The interesting question here is whether an intruder did >> it, clumsily leaving evidence behind, or whether it is just a local >> change from following some bad advice about things that need to be >> changed - or running some script to make those changes. The latter >> seems more likely to me. >> > > Be it me, I would consider box compromised. All done on/from that box > since probable day it happened compromised as well. If there is no way to > establish the day, then since that system originally build. With full > blown sweeping up the consequences. Finding really-really-really > convincing proof it is not a result of compromise (and yes, fight one's > wishful thinking!).You aren't being paranoid enough. If it happened as a result of following some instructions or running a script, it's not just the box that is compromised, it is everything you think you know. On the other hand it could have just been an accidental typo. -- Les Mikesell lesmikesell at gmail.com
On Thu, February 5, 2015 5:07 pm, Les Mikesell wrote:> On Thu, Feb 5, 2015 at 4:39 PM, Valeri Galtsev > <galtsev at kicp.uchicago.edu> wrote: >> >>> >>> Yes, /etc/shadow would have always been readable only by root by >>> default. The interesting question here is whether an intruder did >>> it, clumsily leaving evidence behind, or whether it is just a local >>> change from following some bad advice about things that need to be >>> changed - or running some script to make those changes. The latter >>> seems more likely to me. >>> >> >> Be it me, I would consider box compromised. All done on/from that box >> since probable day it happened compromised as well. If there is no way >> to >> establish the day, then since that system originally build. With full >> blown sweeping up the consequences. Finding really-really-really >> convincing proof it is not a result of compromise (and yes, fight one's >> wishful thinking!). > > You aren't being paranoid enough.Really? My take is to take it as seriously as it can potentially be. It _is_ paranoid, and is paranoid enough. Which would constitute pretty good compliment responsible sysadmin can get ;-)> If it happened as a result of > following some instructions or running a script, it's not just the box > that is compromised, it is everything you think you know. On the > other hand it could have just been an accidental typo.That's why I said "avoid wishful thinking". Yes, but "could have been" is one story (then, still variety of important things may be left in jeopardy). Finding the proof that it is accidental typo or stupid script is another. The second one takes much more time and effort in my experience. I figure my teachers deserve their share of credit for teaching me the way I am. Your response to incident that just got discovered may be different. But what, after all it is your money (well, _his_ money in this case). As I figure, there are no other users on this box. But imagine there are... Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Thu, Feb 5, 2015 at 5:29 PM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> >>> Be it me, I would consider box compromised. All done on/from that box >>> since probable day it happened compromised as well. If there is no way >>> to >>> establish the day, then since that system originally build. With full >>> blown sweeping up the consequences. Finding really-really-really >>> convincing proof it is not a result of compromise (and yes, fight one's >>> wishful thinking!). >> >> You aren't being paranoid enough. > > Really? My take is to take it as seriously as it can potentially be. It > _is_ paranoid, and is paranoid enough. Which would constitute pretty good > compliment responsible sysadmin can get ;-)No, you are saying don't trust that box.>> If it happened as a result of >> following some instructions or running a script, it's not just the box >> that is compromised, it is everything you think you know. On the >> other hand it could have just been an accidental typo. > > That's why I said "avoid wishful thinking".I'm saying don't trust the source of the advice you were following when this happened. -- Les Mikesell lesmikesell at gmail.com