[UNCLASSIFIED]RE: [clug] Detecting malicious former employees

Antti.Roppola at brs.gov.au Antti.Roppola at brs.gov.au
Mon Sep 11 06:31:01 GMT 2006 

Hi all,

Also consider what *other* accounts said person might have had su access to.
For example: ISPs, hosting providers, telcos, generic system logins (i.e. "oracle"),
un-documented/defunct/departed/stupid user accounts, cronjobs, web interfaces,
databases etc. etc. etc.

Perhaps close things off as you are able and secure the log host and firewall logs so
that if anything odd happens, there'll be a record. Set some kind of tripwire up on
something they are likely to try monkey with.

Hopefully they are sane enough to realise that any stunts might complicate their
future ability to find work. It's the sort of thing that is career limiting when
it appears in a police check.

Antti

-----Original Message-----
From: linux-bounces+antti.roppola=brs.gov.au at lists.samba.org [mailto:linux-bounces+antti.roppola=brs.gov.au at lists.samba.org] On Behalf Of Andrew Smith
Sent: Monday, 11 September 2006 3:56 PM
To: Tomasz Ciolek
Cc: linux at lists.samba.org; John Fletcher
Subject: Re: [clug] Detecting malicious former employees

...and remove entries in ~/.ssh/authorized_keys, unknown user accounts, external port access, I sometimes throw a dodgy "who | mail me at mydomain -s "login on <host>" in /etc/profile just for fun.

If you're really paranoid, and are concerned a host has been root-kitted, just be afraid, and maybe rebuild :(

>> John Fletcher wrote:
>>     
>>> Hi guys,
>>>
>>> I'm looking for some advice about precautions to take when a 
>>> potentially malicious and highly priviliged (previously had root pw) 
>>> employee leaves an organisation.  Can anyone give me some advice 


---------------------------------------------------------------------- 
IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF).  The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material.  It is your responsibility to check any attachments for viruses and defects before opening or sending them on.  
Any reproduction, publication, communication, re-transmission, disclosure, dissemination or other use of the information contained in this e-mail by persons or entities other than the intended recipient is prohibited.  The taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.  If you have received this e-mail in error please notify the sender and delete all copies of this transmission together with any attachments.  If you have received this e-mail as part of a valid mailing list and no longer want to receive a message such as this one advise the sender by return e-mail accordingly.  Only e-mail correspondence which includes this footer, has been authorised by DAFF 
----------------------------------------------------------------------

More information about the linux mailing list