Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
Karsten Dambekalns <Karsten@k-fish.de> writes:
> On Thursday 21 July 2005 20:31, Andras Got wrote:
>> The users, the ones the machines was hacked, were they existing users on
>> the machine?
> I don't know which user account got hacked, if this was what has happened.
Did you check the last lock? Maybe the attacker didn't remove the
Did you check if any users have their secret ssh key on your system
and asked them to generate new keys? The attacker might have copied the
secret key and can now log in without password.
Also the attacker might have compromised one of your users systems and
got an ssh key from there. So its probably best to remove all keys and
generate new ones.
Just some thoughts,