[clug] Detecting malicious former employees

Michael James Michael.James at csiro.au
Tue Sep 12 01:20:25 GMT 2006

On Tue, 12 Sep 2006 10:42 am, Edward Lang wrote:
>  Another coworker has written a script,
>  which for a given user updates /etc/passwd
>  with an invalid password for that user, 
> changes their shell to /bin/false (or similar),
> invalidates their crontab, and kills their processes.
> It could, no doubt, be refined,

Scripts are an excellent idea for disabling a normal account,
 but it's a different ball game when the user had root.
If there is even the possibility of premeditated maliciousness
 then the machine has the same status as a hacked one,
 "scheduled for re-build".

Michael James                         michael.james at csiro.au
System Administrator                    voice:  02 6246 5040
CSIRO Bioinformatics Facility             fax:  02 6246 5166

PS: This assumes the company has no interest in entrapment...

More information about the linux mailing list