[clug] Detecting malicious former employees

Andrew Smith andrew at coolchilli.com
Mon Sep 11 05:56:21 GMT 2006

...and remove entries in ~/.ssh/authorized_keys, unknown user accounts, 
external port access, I sometimes throw a dodgy "who | mail me at mydomain 
-s "login on <host>" in /etc/profile just for fun.

If you're really paranoid, and are concerned a host has been 
root-kitted, just be afraid, and maybe rebuild :(

Tomasz Ciolek wrote:
>  All that, and change all the root passwords on servers and admin
>  password on routersand run chkrootkit utility.
> Tomasz
> On Mon, Sep 11, 2006 at 03:43:20PM +1000, Robert Edwards wrote:
>> Take them out of all the sudoers lists on all machines. If they
>> re-appear in any of them, take them to court and sue 'em (you did
>> get them to sign a document stating that they wouldn't attempt to
>> gain access to the machines?).
>> Cheers,
>> Bob Edwards.
>> John Fletcher wrote:
>>> Hi guys,
>>> I'm looking for some advice about precautions to take when a potentially
>>> malicious and highly priviliged (previously had root pw) employee leaves an
>>> organisation.  Can anyone give me some advice about precautions to take and
>>> especially where to look to detect possible attempts to gain access or
>>> engage in malicious activity?
>>> In this particular case we're talking about linux firewall, PPTPD,
>>> mailservers, and various other bits and pieces.  Most work done from remote
>>> locations, not onsite.
>>> Thanks,
>>> Fletch.
>> -- 
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux

More information about the linux mailing list