Educause Security Discussion mailing list archives
Re: i think i'm hacked - is this the right place to ask ?
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 16 Nov 2016 22:01:00 -0500
On Thu, 17 Nov 2016 03:22:41 +0100, "Lentes, Bernd" said:
The host should not be accessible from the internet (i trust our firewall admin ...).
The fact you trust the firewall admin doesn't in fact mean the firewall was correctly configured, and the software patched.
last says(ip addresses deleted for the root logins):
If your system was configured to allow direct logins by root, rather than requiring login to an existing userid and then use /bin/su or /bin/sudo to get root access, you're going to have a bad auditing day.
guest-ic tty9 :2 Wed Nov 16 15:13 - 15:13 (00:00) guest-gi tty8 :1 Wed Nov 16 14:17 gone - no logout
Tty8 and tty9 ? Sounds strange to me.
The :1 and :2, combined with the tty8 and tty9, tend to indicate that these were logins on the GUI at the console. Time to check who had physical access to the machine. (A misconfigured gdm that allows remote logins will also get you :1 and :2, but won't have a corresponding tty entry) Given that your organization doesn't seem to have any incident response or security expertise, there is a *very* high chance that this is just the tip of the iceberg, and you may likely have a lot of *other* compromised systems. Be prepared to check every single server and PC.
Attachment:
_bin
Description:
Current thread:
- i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Valdis Kletnieks (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - SOLVED Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - SOLVED Ken Connelly (Nov 17)
- DocuSign security concerns Penn, Blake (Nov 17)
- Re: DocuSign security concerns Campoe, Alex (Nov 17)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)