> -----Original Message----- > From: redhat-list-admin@xxxxxxxxxx > [mailto:redhat-list-admin@xxxxxxxxxx]On Behalf Of Jeff > Sent: Friday, January 02, 2004 12:35 PM > To: Redhat List > Subject: Ive been hacked - they got root! > > > Peeps > > Just had a look at yesterdays logwatch mail and noticed that > someone has > logged in as root via ssh 6 times from the IP address of the place I > work. I don't think it's been done maliciously, more of a 'look what i > did <laugh, laugh>'. I have looked at /var/log/secure and there's no > evidence in there about it so it looks like theyve covered > their tracks. > > Does anyone know how I can find out what they did and how to prevent > stuff like this happening again (yes - Ive already changed the > password). Ive already looked at the bash history file with no luck > > Thanks > > A slightly worried Jeff > FYI, if someone has been able to login as root via ssh, they would have been able to set up your authorized keys to let them get back in regardless of what the password may be. You'd see these login attempts in logwatch as something like "root logged in from ... using publickey". -- S C Rigler RHCE #803003335409754 -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
