Facts:
Quote:
Originally Posted by zolax
- company (..) recently experienced a security issue.
- we have an isolated network
- very open security structure i.e. password-less accounts rsh rlogin etc.
- a user (..) has (..) deleted another user's files
- /var/log/message file shows logins from their workstation as that user multiple times during the times that these files were being deleted.
- There are wild card searches for these files in the history in this host.
- There is a vi session initiated on this host for a file called delme (delete me) and then a chmod +x for this file and then a deletion of this file (rm delme).
- user was bounced off the other host (permission denied) when trying to log into the other host and then
- as root logged into the other host as the other acct. repeatedly... (..)
- changing root password soon
|
Questions:
Quote:
Originally Posted by zolax
0. no execution of delme script or any other rm /*/xxx/* sort of command (..)
|
"No execution" as in ~/.bash_history?
- How did you ensure all ~/.bash_history files are complete and present history correctly?
- How about global or user initiated cron or at jobs?
- If 'acct' runs did you check all users execution accounting details?
Quote:
Originally Posted by zolax
1. need proof that no remote logins to a CentOS 5.3 workstation could be responsible. / how can I be sure that no other users logged into this machine and then into another machine for sure?
|
- You say "we have an isolated network". So does this mean it is NOT isolated? Remote logins ARE possible?
- Did you correlate ALL router logs and ALL system and daemon logs, and all history files and all user accounting files (lastlog, wtmp, utmp, btmp) on ALL hosts?
Quote:
Originally Posted by zolax
2. why use root privs (..) to log into a password-less account?
|
As you said "rsh -l user" failed and "rsh -l user" succeeded when executed as root account user. It succeeded. Hence security breached. So I think, in terms of priorities, that this is not the most important question right now. Fact is fact, save speculation for later.
What I suggest you do is:
- Inform network personnel (unless you are the only one: then inform responsible management),
- Familiarize yourself with generic tasks to perform from the Intruder Detection Checklist (CERT):
http://web.archive.org/web/200801092...checklist.html before doing anything else,
- Decide on truly sealing off the "isolated" network from any public network access at the router,
- Image hosts for further investigation if necessary,
- Secure all logs everywhere and process them on a secured, detached, workstation only you and management have access to.
* Please, please do not use terms like "remote login", "this host", "that host", "acct xxx" or "user". Instead describe factually like "remote login to server X from same subnet workstation Z", "this host X", "that host Y", "acct user1", "remote user2".