Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)

To: Karsten Dambekalns <Karsten@k-fish.de>
Cc: debian-security@lists.debian.org
Subject: Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: Thu, 21 Jul 2005 22:52:57 +0200
Message-id: <[🔎] 87hden51au.fsf@informatik.uni-tuebingen.de>
In-reply-to: <[🔎] 200507212150.57472.Karsten@k-fish.de> (Karsten Dambekalns's message of "Thu, 21 Jul 2005 21:50:57 +0200")
References: <[🔎] 200507212017.39013.Karsten@k-fish.de> <42DFE9FF.9080005@antiszoc.hu> <[🔎] 200507212150.57472.Karsten@k-fish.de>

Karsten Dambekalns <Karsten@k-fish.de> writes:

> Hi.
>
> On Thursday 21 July 2005 20:31, Andras Got wrote:
>> The users, the ones the machines was hacked, were they existing users on
>> the machine?
>
> I don't know which user account got hacked, if this was what has happened.

Did you check the last lock? Maybe the attacker didn't remove the
traces there.

Did you check if any users have their secret ssh key on your system
and asked them to generate new keys? The attacker might have copied the
secret key and can now log in without password.

Also the attacker might have compromised one of your users systems and
got an ssh key from there. So its probably best to remove all keys and
generate new ones.

Just some thoughts,
        Goswin

Reply to:

Follow-Ups:
- Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
  - From: Karsten Dambekalns <Karsten@k-fish.de>
- Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
  - From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>

References:
- Help needed - server hacked twice in three days (and I don't think I'm a newbie)
  - From: Karsten Dambekalns <Karsten@k-fish.de>
- Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
  - From: Karsten Dambekalns <Karsten@k-fish.de>

Prev by Date: Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
Next by Date: Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
Previous by thread: Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
Next by thread: Re: Help needed - server hacked twice in three days (and I don't think I'm a newbie)
Index(es):
- Date
- Thread