Hello Stephan, I recently had to clean up after a break-in (which is what inspired me to join this list). Some comments to add to Pete's followup: On Sat, 5 Aug 2000, OKDesign oHG Security Webmaster wrote:
Someone might install some scripts to USER account and for example copy all input/output to a file, including su passwords.
Good idea. But how should he manage to get this script started ?
As Pete said, consider any environment that has been broken into (even just one of your users) hostile until completely proven otherwise. Closely inspect *all* of those user files, *especially* the dot-files. Sometimes, the only thing changed in the login profile command (i.e. .bashrc or .bash_profile) is the "PATH=" statement, to add a new directory to the beginning of the list. I've actually seen a new directory of "...", designed be overlooked with the usual "." and ".." at the top. I've also heard mention of ".^H" or ".<rubout>" but am not sure how a person either creates or uses such a directory. Also, *heavily* scrutinize /tmp! This is ESPECIALLY imperative if anyone hasn't responded to the recent SuSE advisory regarding aaabase (where a few users, such as "nobody" have /tmp as their home directory). In this case, look for "/tmp/.bashrc". Often, the best approach, when a user account has been compromised, is to back it (and /tmp) up to a secure location, re-initialize it and /tmp, and then give the user their data files, one at a time, after carefully examining them. Hope this helps. Best regards, Ken Parker P.S. When the "Script Kiddies" gained root on my system, they linked /root/.bash_history to /dev/null. That was the last straw, when I was examining my system, inspiring me to yank the ethernet cord out of the back of the computer. (They entered through a year-old Sendmail vulnerability).