LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-24-2002, 10:40 PM   #1
curlyroger
LQ Newbie
 
Registered: Jun 2002
Posts: 4

Rep: Reputation: 0
Keeping the previous administrator OUT


I've just taken over administration duties of a Linux box, but don't know much about Linux. (scary!)

Anyway, the previous owner of the box left under less than pleasant circumstances. Now, the major concern is making sure he can't get back in to do damage.

Obviously, I will change the root password. I've also used the "userconf" tool to identify any other user accounts that are in the "root" group. Those accounts will be deactivated.

I'm also concerned about our mySQL database. I will have to change the root password on that too, correct?

What other things should I check? Are there any other possible back doors I should know about and close? Are there any other user groups or logins that should be checked/changed?

Thanks!
 
Old 06-24-2002, 11:44 PM   #2
shoot2kill
Member
 
Registered: Jan 2002
Location: California
Distribution: Red Hat
Posts: 402

Rep: Reputation: 30
also check accounts that have the remote access, such as telnet, ssh and so on.

if that box which u are taking over, using an static ip, try to change a new ip too.

Last edited by shoot2kill; 06-24-2002 at 11:46 PM.
 
Old 06-25-2002, 12:22 AM   #3
curlyroger
LQ Newbie
 
Registered: Jun 2002
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
check accounts that have the remote access, such as telnet, ssh and so on
Do you just mean regular user accounts that have such abilities or some other kind of account? How do I check for such accounts or that they can do that.

Also, in "userconf" I see the user "operator" -- is that root or something else Linux specific -- meaning I shouldn't delete it?

Thanks!
 
Old 06-26-2002, 11:28 AM   #4
Noerr
Member
 
Registered: May 2002
Location: Dalec, HU
Distribution: Redhat 7.3
Posts: 696

Rep: Reputation: 30
if you wanna be on safe side, delete all /bin/bash from /etc/passwd for users that do not log in locally/telnet/ssh

make sure to change smbpasswd for root (ifany)
change all passwords for mysql admins
 
Old 06-26-2002, 09:01 PM   #5
tyler_durden
Member
 
Registered: May 2001
Posts: 125

Rep: Reputation: 15
you may have a more work cut out for you.

if you are running mysql. you may need to change other passwords for it as well. if your webserver has a password (in mysql) , odds are he may know that as well.

check your last log often and see who is logging in. he may have a back door or two set up.
 
Old 06-26-2002, 10:11 PM   #6
finegan
LQ Guru
 
Registered: Aug 2001
Location: Dublin, Ireland
Distribution: Slackware
Posts: 5,700

Rep: Reputation: 65
Honestly, if you're that worried and the guy was competent, copy the SQL Database late one night, get another machine, install whatever X distro from the ground up, put the SQL DB on it, and then hammer at it until all of the proper accounts and services work. Add users back in as they become apparent. That's a nuclear approach, but really:


Earlier you mentioned "userconf" the GUI tool, which I think is built to ignore any userIDs below 500, which is conventionally where normal users start. Below 500 is system users, like "mail" and "nobody" and "apache". You may want to see if there are some users in /etc/passwd down there in the teens that aren't supposed to be, especially if they have bash as a shell instead of sh, that's kind of telling. Also, make certain you're not running sudo, and if you are, make sure you can trust the security of any of the user accounts in it.

Cheers,

Finegan
 
Old 07-18-2002, 11:07 AM   #7
turnip
Member
 
Registered: Jul 2002
Posts: 143

Rep: Reputation: 15
also remove any keys in /root/.ssh xso he cant use keys to log in
 
Old 07-28-2002, 08:36 AM   #8
antken
Member
 
Registered: Nov 2000
Posts: 368

Rep: Reputation: Disabled
Exclamation look out!

i had the very same trouble a few weeks ago i took over a linux box

basically i went through the passwd file and had the ip address and dns records updated on the web
Plus check you cron jobs for strange scripts.

the boxes previous owner put a script in there to create a user and password then email the boxes new ip address to him.


keep your eyes open!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Administrator Megos Linux - Newbie 12 06-11-2007 11:55 PM
mysql administrator Joe_Zhu Linux - Software 5 06-22-2005 04:55 AM
administrator help debdas Linux - Newbie 4 05-15-2003 04:00 AM
RH recovery -- keeping /home from previous drive bock Linux - General 3 01-20-2003 10:21 PM
Server Administrator Staz Linux - Software 1 09-29-2002 08:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 08:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration