From: Niall O Broin (nobroin at domain sced.esoc.esa.de)
Date: Wed 06 Oct 1999 - 13:50:11 IST
A machine which I maintain is on the internet, visible to the world. It's
a web server and it's regularly updated by a machine on a private LAN which
connects to the internet via dial-up ISDN. This morning the file transfer
stopped working with error messages which led me to think it was something
to do with ssh (I use ssh/scp to move files to the web server and to initiate
the web server update process from the local machine). Sure enough, investigation
of the machine reveals that the relevant .ssh directory is gone, vanished, no
longer there. This happened some time this morning because
a) the relevant .ssh directory is still found by locate so it was there when
updatedb was last run.
b) web server updating worked earlier this morning.
The two alternative possibilities are
i) One of the people ftp'ing files to/from this machine today managed to blow
away the .ssh directory using Fetch on a Macintosh.
ii) Malice
I'm leaning towards i) as one of the people deleted some files in a subdirectory
of the home directory - shouldn't have been possible to touch .ssh, and he insists
that he didn't, but that he did notice .ssh in a listing. If it was ii) it'd have to
have been very coincidental, as it happened around the time that ftp was being used.
Also, if an attacked gains access to a level where he could delete the .ssh directory
what would it benefit him to do so ?
Ideas welcome,
Niall O Broin
UNIX Network Administrator nobroin at domain esoc.esa.de
Ground Systems Engineering Department Ph./Fax +49 6151 90 3619/2179
European Space Operations Centre, Darmstadt, Germany
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:04:40 GMT