Full Disclosure mailing list archives
Re: Removing FIred admins
From: Raymond Lillard <ryl () prosysmeg com>
Date: Thu, 12 Feb 2004 21:48:42 -0800
Cael Abal wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Michael T. Harding wrote: | Anybody know of a checklist or guide to removing access across the entire | organization for a "retired" admin? | Mixed environment including Linux, Unix, Windows, Cisco, Nortel Wow. Nightmare. I would expect this is exactly what you didn't want to hear, but you're in an awfully scary situation. Imagine every sneaky thing a cracker could do -- subvert your IDS, implement Ken Thompson-esque login/compiler bugs, etc... And then consider that they might've happened any time in the past few years and have by now completely infiltrated your backup media.
Michael, I'm assuming you are the "retiree's" manager. If your "retiree" had little or no warning, you are more likely to be safe than not. If your "retiree" received a series of personnel action memos over a period of 6 months prior to the event, then you must ask yourself how vindictive this person is likely to be, and also how clever. I'm afraid I don't have much advice beyond what you already know to help with the cleanup after the fact. Going forward, consider setting up a machine to be a private backup loghost to which only you and (maybe a trusted aide have access) - including physical access. Disable all services, especially logins, on the interface where you run syslogd. Hire a new sysadmin. Read the logs faithfully. Like so many security problems this one requires some "social engineering". Just the knowledge that a secure loghost exists, will raise the level of effort required for any future mischief. Good Luck, Ray _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Removing FIred admins Michael T. Harding (Feb 12)
- Re: Removing FIred admins Cael Abal (Feb 12)
- Re: Removing FIred admins Raymond Lillard (Feb 12)
- Re: Removing FIred admins Volker Tanger (Feb 13)
- Re: Removing FIred admins Benjamin Schweizer (Feb 13)
- Re: Removing FIred admins Paul J. Morris (Feb 13)
- Re: Removing FIred admins gadgeteer (Feb 13)
- Re: Removing FIred admins Cael Abal (Feb 12)
- <Possible follow-ups>
- RE: Removing FIred admins James Patterson Wicks (Feb 12)
- Re: Removing FIred admins gadgeteer (Feb 12)
- RE: Re: Removing FIred admins Steve Wray (Feb 13)
- RE: Re: Removing FIred admins Michal Zalewski (Feb 13)
- RE: Re: Removing FIred admins Steve Wray (Feb 13)
- Re: Re: Removing FIred admins Valdis . Kletnieks (Feb 13)
- Re: Removing FIred admins gadgeteer (Feb 12)