March 30, 2004
Server Compromise Scare
While I was working on today's first catastrophe I was informed that an account on two of our machines had a .ssh/known_hosts file filled with entries not made by the account owner.
Three (all) of us immediately started the process of scouring the system for evidence of damage, changed binaries etc. Tripwire hadn't reported anything unusual, but tripwire is also easy to manipulate. We spent a good portion of the afternoon and I continued during the evening scouring for any signs and haven't seen any evidence of malice. The fact that the user didn't clean up the known_hosts entries . . .
Back in late January another department at Tufts had some compromised machines where passwords were being collected, which led to access to additional machines. Looks like ours was one of them, the account on our machine was accessed from the other department's compromised machine.
The machines are scheduled to be rebuilt soon, am anxious to have that happen because I know until they are rebuilt there will be a nagging question about their state.
Posted by mike at March 30, 2004 11:10 PM