I work for a seismic company that has recently experienced a security issue. Because we have an isolated network that is used for HPC work we have a very open security structue ie password less accounts rsh rlogin etc. We had, seemingly,a user that has maliciously deleted another user's files but I still haven't figured out how. So far I have been able to prove that this user has remotely logged into another host under that user's account... or at least that their workstation did. The /var/log/message file shows logins from their workstation as that user multiple times durring the times that these files were being deleted. There are wildcard searches for these files in the history in this host. There is a vi session initiated on this host for a file called delme (delete me) and then a chmod +x for this file. and then a deletion of this file (rm delme). Funny things: this user has no business in this acct. this user was bounced off the other host (permission denied) when trying to log into the other host and then as root logged into the other host as the other acct. repeatedly... ie. rsh -l xxx (permis den) then as root rsh -l xxx (logged in) why not su xxx and then rsh? password less acct?! why use root privs (which they sholuld not have) to log into a passwd less acct? Can't see any remote logins to their workstation from elsewhere. can't find smoking gun. no execution of delme script or any other rm /*/xxx/* sort of command that proves when file deletion of striped files happened?!

changing root passwd soon
need proof that no remote logins to a CentOS 5.3 workstation could be responsible.
Could mean someone gets fired.
how can I be sure that no other users logged into this machine and then into another machine for sure?
Our normal sysadmin is out on vacation for 2 weeks.
HELP!

Facts:

Questions:
"No execution" as in ~/.bash_history?
- How did you ensure all ~/.bash_history files are complete and present history correctly?
- How about global or user initiated cron or at jobs?
- If 'acct' runs did you check all users execution accounting details?


- You say "we have an isolated network". So does this mean it is NOT isolated? Remote logins ARE possible?
- Did you correlate ALL router logs and ALL system and daemon logs, and all history files and all user accounting files (lastlog, wtmp, utmp, btmp) on ALL hosts?


As you said "rsh -l user" failed and "rsh -l user" succeeded when executed as root account user. It succeeded. Hence security breached. So I think, in terms of priorities, that this is not the most important question right now. Fact is fact, save speculation for later.


What I suggest you do is:
- Inform network personnel (unless you are the only one: then inform responsible management),
- Familiarize yourself with generic tasks to perform from the Intruder Detection Checklist (CERT): http://web.archive.org/web/200801092...checklist.html before doing anything else,
- Decide on truly sealing off the "isolated" network from any public network access at the router,
- Image hosts for further investigation if necessary,
- Secure all logs everywhere and process them on a secured, detached, workstation only you and management have access to.

* Please, please do not use terms like "remote login", "this host", "that host", "acct xxx" or "user". Instead describe factually like "remote login to server X from same subnet workstation Z", "this host X", "that host Y", "acct user1", "remote user2".

we are not connected to the internet. By remote login I mean from workstation to server or workstation to workstation.

thanks for the info and the link. I'll do some research this weekend and then see what I can find on Tuesday.