[clug] Detecting malicious former employees
andrew at coolchilli.com
Mon Sep 11 05:56:21 GMT 2006
...and remove entries in ~/.ssh/authorized_keys, unknown user accounts,
external port access, I sometimes throw a dodgy "who | mail me at mydomain
-s "login on <host>" in /etc/profile just for fun.
If you're really paranoid, and are concerned a host has been
root-kitted, just be afraid, and maybe rebuild :(
Tomasz Ciolek wrote:
> All that, and change all the root passwords on servers and admin
> password on routersand run chkrootkit utility.
> On Mon, Sep 11, 2006 at 03:43:20PM +1000, Robert Edwards wrote:
>> Take them out of all the sudoers lists on all machines. If they
>> re-appear in any of them, take them to court and sue 'em (you did
>> get them to sign a document stating that they wouldn't attempt to
>> gain access to the machines?).
>> Bob Edwards.
>> John Fletcher wrote:
>>> Hi guys,
>>> I'm looking for some advice about precautions to take when a potentially
>>> malicious and highly priviliged (previously had root pw) employee leaves an
>>> organisation. Can anyone give me some advice about precautions to take and
>>> especially where to look to detect possible attempts to gain access or
>>> engage in malicious activity?
>>> In this particular case we're talking about linux firewall, PPTPD,
>>> mailservers, and various other bits and pieces. Most work done from remote
>>> locations, not onsite.
>> linux mailing list
>> linux at lists.samba.org
More information about the linux