Educause Security Discussion mailing list archives
Re: i think i'm hacked - is this the right place to ask ?
From: "Lentes, Bernd" <0000002c1fd0e2c2-dmarc-request () LISTSERV EDUCAUSE EDU>
Date: Thu, 17 Nov 2016 04:50:38 +0100
----- On Nov 17, 2016, at 4:01 AM, Valdis Kletnieks Valdis.Kletnieks () vt edu wrote:
On Thu, 17 Nov 2016 03:22:41 +0100, "Lentes, Bernd" said:The host should not be accessible from the internet (i trust our firewall admin ...).The fact you trust the firewall admin doesn't in fact mean the firewall was correctly configured, and the software patched.
I wanted to say that i don't trust him completely. We had already once ports accessible on one host from the internet which shouldn't be.
last says(ip addresses deleted for the root logins):If your system was configured to allow direct logins by root, rather than requiring login to an existing userid and then use /bin/su or /bin/sudo to get root access, you're going to have a bad auditing day.
Graphical login is just possible for normal users. When done then su.
guest-ic tty9 :2 Wed Nov 16 15:13 - 15:13 (00:00) guest-gi tty8 :1 Wed Nov 16 14:17 gone - no logoutTty8 and tty9 ? Sounds strange to me.The :1 and :2, combined with the tty8 and tty9, tend to indicate that these were logins on the GUI at the console. Time to check who had physical access to the machine. (A misconfigured gdm that allows remote logins will also get you :1 and :2, but won't have a corresponding tty entry)
Physical access have three persons sitting in that office. When leaving the office is locked.
Given that your organization doesn't seem to have any incident response or security expertise, there is a *very* high chance that this is just the tip of the iceberg, and you may likely have a lot of *other* compromised systems. Be prepared to check every single server and PC.
Helmholtz Zentrum Muenchen Deutsches Forschungszentrum fuer Gesundheit und Umwelt (GmbH) Ingolstaedter Landstr. 1 85764 Neuherberg www.helmholtz-muenchen.de Aufsichtsratsvorsitzende: MinDir'in Baerbel Brumme-Bothe Geschaeftsfuehrer: Prof. Dr. Guenther Wess, Dr. Alfons Enhsen Registergericht: Amtsgericht Muenchen HRB 6466 USt-IdNr: DE 129521671
Current thread:
- i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Valdis Kletnieks (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - SOLVED Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - SOLVED Ken Connelly (Nov 17)
- DocuSign security concerns Penn, Blake (Nov 17)
- Re: DocuSign security concerns Campoe, Alex (Nov 17)
- Re: i think i'm hacked - is this the right place to ask ? Lentes, Bernd (Nov 16)
- Re: i think i'm hacked - is this the right place to ask ? Adam Maynard (Nov 16)