Re: What could a regular user do with a .rpmdb directory uploaded?
On Wed, 06 Jun 2012 14:21:13 -0300, francis picabia wrote:
> On Wed, Jun 6, 2012 at 1:45 PM, Camaleón <noelamac@gmail.com> wrote:
>> On Wed, 06 Jun 2012 12:20:51 -0300, francis picabia wrote:
>>
>>> I think I've found a compromised user account.
>>
>> Wow :-(
>>
>> How they got into (unpatched application, password steal...)?
>
> In many cases, phishing - simply asking for the password as if it were a
> legit request - is enough to get a password. In this case, I would
> guess the user had a keylogger, but I don't really know yet. We run
> denyhosts, so I'm pretty sure it wasn't by brute force.
Ugh, you should train your users against this kind of requests so they
ignore them ;-(
>>> This is on Debian but alien is installed. The attackers have not made
>>> a move yet, but have done some tests and kept their connections to
>>> scp/sftp to be unnoticed by last.
>>
>> Kill them and correct the vulnerability >:-)
>
> Well, we've changed all their passwords and we'll get in touch with the
> user to advise.
You look very relaxed with this (I'd be very stressed :-P) but despite
you seem to have the situation under control, it won't harm running
rkhunter or another specialized anti-rootik, just to be sure that all is
fine and there are no additional holes in the system.
>>> There is a directory .rpmdb uploaded to their home directory. How
>>> could this be used to set up their software? I mean, is there a
>>> special angle they are aiming at which achieves a result they would
>>> not have realized by only using make on their sources?
>>
>> That directory can be normal if you have alien installed. But if they
>> have access to a shell they can run the usual commands that are
>> available for a standard user.
>
> Right. So this person was trying to stay under the radar via scp/sftp
> and uploaded some stuff. When the day of the main action comes up and
> they use ssh and shell, of what advantage could an especially set up
> .rpmdb directory be to an ordinary user? Maybe I should ask on the
> Redhat list...
I can't guess any because an empty folder means not much (it could have
been automatically created by your system if they just run the "alien"
command).
> I could see why it would be fun to run a honey pot.
Uff, I envy the serene outlook you've taken for this :-)
Greetings,
--
Camaleón
Reply to: