Re: What could a regular user do with a .rpmdb directory uploaded?

To: debian-user@lists.debian.org
Subject: Re: What could a regular user do with a .rpmdb directory uploaded?
From: Camaleón <noelamac@gmail.com>
Date: Thu, 7 Jun 2012 14:08:21 +0000 (UTC)
Message-id: <[🔎] jqqckl$dr8$5@dough.gmane.org>
References: <[🔎] CA+AKB6HHMEU1Wh8JpC7mxM0Y2WGJjTudNhdNVEro8R=jjir4Bw@mail.gmail.com> <[🔎] jqo1g4$u68$19@dough.gmane.org> <[🔎] CA+AKB6ExP=504JFFaztnuSNL=4LjfacbHhiHi9x3Tr52YjOo6Q@mail.gmail.com>

On Wed, 06 Jun 2012 14:21:13 -0300, francis picabia wrote:

> On Wed, Jun 6, 2012 at 1:45 PM, Camaleón <noelamac@gmail.com> wrote:
>> On Wed, 06 Jun 2012 12:20:51 -0300, francis picabia wrote:
>>
>>> I think I've found a compromised user account.
>>
>> Wow :-(
>>
>> How they got into (unpatched application, password steal...)?
> 
> In many cases, phishing - simply asking for the password as if it were a
> legit request - is enough to get a password.  In this case, I would
> guess the user had a keylogger, but I don't really know yet. We run
> denyhosts, so I'm pretty sure it wasn't by brute force.

Ugh, you should train your users against this kind of requests so they 
ignore them ;-(
 
>>> This is on Debian but alien is installed.  The attackers have not made
>>> a move yet, but have done some tests and kept their connections to
>>> scp/sftp to be unnoticed by last.
>>
>> Kill them and correct the vulnerability >:-)
> 
> Well, we've changed all their passwords and we'll get in touch with the
> user to advise.

You look very relaxed with this (I'd be very stressed :-P) but despite 
you seem to have the situation under control, it won't harm running 
rkhunter or another specialized anti-rootik, just to be sure that all is 
fine and there are no additional holes in the system.

>>> There is a directory .rpmdb uploaded to their home directory.  How
>>> could this be used to set up their software?  I mean, is there a
>>> special angle they are aiming at which achieves a result they would
>>> not have realized by only using make on their sources?
>>
>> That directory can be normal if you have alien installed. But if they
>> have access to a shell they can run the usual commands that are
>> available for a standard user.
> 
> Right.  So this person was trying to stay under the radar via scp/sftp
> and uploaded some stuff.  When the day of the main action comes up and
> they use ssh and shell, of what advantage could an especially set up
> .rpmdb directory be to an ordinary user?  Maybe I should ask on the
> Redhat list...

I can't guess any because an empty folder means not much (it could have 
been automatically created by your system if they just run the "alien" 
command).

> I could see why it would be fun to run a honey pot.

Uff, I envy the serene outlook you've taken for this :-)

Greetings,

-- 
Camaleón

Reply to:

References:
- What could a regular user do with a .rpmdb directory uploaded?
  - From: francis picabia <fpicabia@gmail.com>
- Re: What could a regular user do with a .rpmdb directory uploaded?
  - From: Camaleón <noelamac@gmail.com>
- Re: What could a regular user do with a .rpmdb directory uploaded?
  - From: francis picabia <fpicabia@gmail.com>

Prev by Date: Re: User logins not appearing in wtmp?
Next by Date: Re: Re (2): Default sound for alarm-clock 0.3.1 in Squeeze.
Previous by thread: Re: What could a regular user do with a .rpmdb directory uploaded?
Next by thread: Default sound for alarm-clock 0.3.1 in Squeeze.
Index(es):
- Date
- Thread