search for: compromised

...d their use within (Open)SSH. I've been using OpenSSH happily with the assumption that using key-based authentication (RSA or DSA public keys pushed to .ssh/authorized_keys on remote hosts) provides a number of benefits, including an important security-related one -- Logging in to a known-root-compromised host is "safe" in that whatever is done on the remote machine would not compromise my private key in any way that would allow an attacker to further use data from an established session to compromise other hosts where the same pulic key is installed. However, a little while ago, as part...

There is a cluster of machines which I have an account on which was recently compromised. the machines have thousands of users and the only access is via ssh. via some mechanism (probably a weak password) the attacker was able to compromise a single account and use a local-root exploit to hijack lots of ssh-agents and any unpassword protected keys. they next tried to repeat the proce...

I have not, I'll look into that one, thanks! On 11/14/2019 9:48 AM, SternData wrote: > Do you run rkhunter? > > On 11/14/19 9:40 AM, Christopher Wensink wrote: >> How do you know when a Linux system has been compromised?? >> >> Every day I watch our systems with all the typical tools, ps, top, who, >> I watch firewall / IPS logs, I have logwatch setup and mailing daily >> summaries to me and I dive deeper into logs if something looks suspicious. >> >> What am I missing or not lo...

...It's IMO generally a bad idea to distribute "better/newer" keys over > a potentially already weaker trust path (i.e. something secured by the > old key). This is strictly no worse than continuing to use the old key, so I don't consider it a problem. > - If some key was compromised (and thus the server itself) an attacker > might use the feature to distribute his own keys, which, during clean > up from the attack, might be overseen. How is this different to the status quo? If you don't clean up keys after a compromise then you have a problem. Anyone doing this alre...

Hello @ all The libvirt-daemon compromises the packet-filtering-rules at daemon-startup, before any VM is started. To prevent this, I first have create a hook-script which deletes existing rules, but apparently these rules are set after the hook. Removing the defined networks was no solution either. Worst of all is, a service restart of the daemon may even completely neutralize the firewall.

My wife's office server was compromised today. It appears they ssh'ed in through account pcguest which was set up for Samba. (I don't remember setting up that account, but maybe I did.) At any rate, I found a bazillion "ftp_scanner" processes running. A killall finished them off quickly, I nuked the pcguest account, and...

...do not known, if this is really an issue but i noticed that when connecting to a remote ssh host with the standard linux openssh client using a private key, that there is no line of text indicating when the local key-passwd process was completed and the connection session was established. On a compromised host, the login shell could write the line 'Enter passphrase for key 'guess the filename using the current account name':'. If unnoticed, the user will think, that he misstyped the passphrase and repeat it. After capturing the word, the login could continue with the standard pro...

...lumsily leaving evidence behind, or whether it is just a local >> change from following some bad advice about things that need to be >> changed - or running some script to make those changes. The latter >> seems more likely to me. >> > > Be it me, I would consider box compromised. All done on/from that box > since probable day it happened compromised as well. If there is no way to > establish the day, then since that system originally build. With full > blown sweeping up the consequences. Finding really-really-really > convincing proof it is not a result of comp...

...sagreeing. > > Harder only from the point of view current tools script kiddies use will > not deal with then. Fundamentally better security/forensics wise would be > to keep logs on remote secure server. Like in the very first computer > security lesson: you can not trust anything on compromised machine. It's a matter of knowing your machine has been compromised. Modifying the binary logs to hide that you are there will result in checksum inconsistencies, removing a few lines from text logs will not. Yes, you can use text log to a remote machine to avoid that, but binary logs let...

...-11-14 10:01, Christopher Wensink wrote: > I have not, I'll look into that one, thanks! > > On 11/14/2019 9:48 AM, SternData wrote: >> Do you run rkhunter? >> >> On 11/14/19 9:40 AM, Christopher Wensink wrote: >>> How do you know when a Linux system has been compromised? I'm sure you have followed the procedure how to install system and services so everything is secure. If, in a longer run no matter that you have system set up and configured securely and keep updating, if still the system gets compromised, then you need: 1. compromise warming 2. forensic...

...he user can only compromise their own account. The risk is mittigated by the fact that before this bug can be exploited, the user must log in successfully through ssh. This means that either the user is known to the system (and therefore the administrators), or that the system is probably already compromised. However, on some older systems with broken implementations of the setuid() family of functions, a root compromise may be possible with certain configurations of rssh. Specifically, if rssh is configured to use a chroot jail, it will exec() rssh_chroot_helper, which must be setuid root in order t...

...rase which should never leave the client. I presume it could capture the public key, which could be read from the filesystem anyway. And I presume it could capture traffic to/from the virtual terminal. Is there any way for an attacker to replay authentication to a third machine, accessed via the compromised machine using ssh-agent ? If a user connects to a compromised machine using keys, but from an untainted client, do they need to change their keys or passphrase ? (I presume, in principle, that an attacker could steal private user keys and machine keys from a rooted server, then subvert the DNS...

No, we haven't been hacked. ;) We have a prospective client who is asking us what our policy is in the event of unauthorized access. Obviously you fix the system(s) that have been compromised, but what steps do you take to mitigate the effects of a breach? What is industry best practice? So far, searches haven't produced anything that looks consistent, except maybe identity monitoring for financial data. (EG: Target breach) We host a significant amount of educational data, but n...

...st was not hacked already > because i would clear those logs when i hacked a system :) > > but indeed it's a try, > > If you remain unsure, it is best to reinstall the system to be sure that a > fresh > and newly updated (yeah update it when installed :)) system is not > compromised at that > time.. > > loads of work, but it gives you some relief to know that it's clean. > > GoodLuck! > > -- > > Kind regards, > > Remko Lodder > Elvandar.org/DSINet.org > www.mostly-harmless.nl Dutch community for helping newcomers on the > hackersce...

...9; about, you need to take appropriate action at once. Also some backends merge Bugzilla and mailman password stores, which can cause unexpected secondary effects. I have not seen a patch yet, and so one has to assume that the configs and passwords for all mailman moderated mailing lists are compromised. Once a fix issues, Mailman moderators will want to do a global password change, and local list modification. -- Russ Herrold ---------- Forwarded message ---------- Date: Wed, 9 Feb 2005 18:15:02 +0000 From: John Cartwright <johnc at grok.org.uk> To: full-disclosure at lists.netsys.com...

...rks when you are presuming that the host was not hacked already because i would clear those logs when i hacked a system :) but indeed it's a try, If you remain unsure, it is best to reinstall the system to be sure that a fresh and newly updated (yeah update it when installed :)) system is not compromised at that time.. loads of work, but it gives you some relief to know that it's clean. GoodLuck! -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: freebsd-security-bounce...

On Thu, Feb 5, 2015 at 4:19 PM, Keith Keller <kkeller at wombat.san-francisco.ca.us> wrote: >> On C5 the default appears to be:- >> >> -rw-r--r-- 1 root root 1220 Jan 31 03:04 shadow > > It is much more likely that someone has screwed up your system. I think > even CentOS 4 had shadow as 400. And what on earth would the point be > in having a

I am not sure if I had a compromise but I am not sure I wanted some other input. I noticed in this in my daily security run output: pc1 setuid diffs: 19c19 < 365635 -rwsr-xr-x 1 root wheel 204232 Sep 27 21:23:19 2003 /usr/X11R6/bin/xscreensaver --- > 365781 -rwsr-xr-x 1 root wheel 205320 Dec 4 07:55:59 2003 /usr/X11R6/bin/xscreensaver It was the only file listed and I didn't

I have a server that has been compromised. I'm running version 4.6.2 when I do >last this line comes up in the list. shutdown ~ Thu Aug 28 05:22 That was the time the server went down. There seemed to be some configuration changes. Some of the files seemed to revert back to default versions (httpd....

1] not using secure http for log-ins seems a bit 20th century. 2] to join this mailing list, I needed to send my new credentials over unsecured http - see 1] above. 3] to change password from the compromised reset password, I need to use unsecured http - see 1] above. My point here is that if you are saddened, upset or concerned about the compromise, might the 3 above points also be on the list of things to address? Pardon if this is already pointed out, I've no desire to spend an hour to read ar...