[clug] Detecting malicious former employees

Leigh Finch leigh at leighfinch.net
Mon Sep 11 06:10:19 GMT 2006 

Hi All,
This is frequently a good idea, but seldom done in many companies, keep 
a terminal open with root logged in (on the console, or via ssh ), just 
in case root's password mysteriously changes (not that you couldn't 
reset the password if you had to, it's just downtime.)

Note: Obviously precautions need to be taken as well, such as locking 
the cabinet/server room or what not.

Cheers
Leigh

Andrew Smith wrote:
> ...and remove entries in ~/.ssh/authorized_keys, unknown user 
> accounts, external port access, I sometimes throw a dodgy "who | mail 
> me at mydomain -s "login on <host>" in /etc/profile just for fun.
>
> If you're really paranoid, and are concerned a host has been 
> root-kitted, just be afraid, and maybe rebuild :(
>
> Tomasz Ciolek wrote:
>>  All that, and change all the root passwords on servers and admin
>>  password on routersand run chkrootkit utility.
>>
>> Tomasz
>>
>> On Mon, Sep 11, 2006 at 03:43:20PM +1000, Robert Edwards wrote:
>>  
>>> Take them out of all the sudoers lists on all machines. If they
>>> re-appear in any of them, take them to court and sue 'em (you did
>>> get them to sign a document stating that they wouldn't attempt to
>>> gain access to the machines?).
>>>
>>> Cheers,
>>>
>>> Bob Edwards.
>>>
>>> John Fletcher wrote:
>>>    
>>>> Hi guys,
>>>>
>>>> I'm looking for some advice about precautions to take when a 
>>>> potentially
>>>> malicious and highly priviliged (previously had root pw) employee 
>>>> leaves an
>>>> organisation.  Can anyone give me some advice about precautions to 
>>>> take and
>>>> especially where to look to detect possible attempts to gain access or
>>>> engage in malicious activity?
>>>>
>>>> In this particular case we're talking about linux firewall, PPTPD,
>>>> mailservers, and various other bits and pieces.  Most work done 
>>>> from remote
>>>> locations, not onsite.
>>>>
>>>> Thanks,
>>>> Fletch.
>>>>       
>>> -- 
>>> linux mailing list
>>> linux at lists.samba.org
>>> https://lists.samba.org/mailman/listinfo/linux
>>>     
>>
>>   
>

More information about the linux mailing list