http://aplawrence.com/ Comments feed at aplawrence.com: Thousands of articles, reviews, consultants listings, skills tests, opinion, how-to's for Unix, Linux and Mac OS X, networking, web site maintenance and more.. hourly 6 1970-01-01T00:00+00:00 en A.P. Lawrence Copyright A.P. Lawrence A.P. Lawrence (mailto:rssfeeds@aplawrence.com) 2009-11-06T18:53:05+00:00 Aplawrencecommentshttp://feedburner.google.com http://aplawrence.com/image21.gif http://aplawrence.com Fri Nov 6 18:50:20 2009<br /> <br />Subject: <br />Website: <br />Right, who knows? <br /> <br /> <br /> <br />I keep cycling back to "Why call attention to yourself by disabling logins? Why leave an easily seen trail in /var/log/secure and wtmp?" <br /> <br /> <br /> <br />Whatever. As I said, it's not something I can handle. <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/BiXTb5Adop1LfRNZkFbyj2Pg39s/0/da"><img src="http://feedads.g.doubleclick.net/~a/BiXTb5Adop1LfRNZkFbyj2Pg39s/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/BiXTb5Adop1LfRNZkFbyj2Pg39s/1/da"><img src="http://feedads.g.doubleclick.net/~a/BiXTb5Adop1LfRNZkFbyj2Pg39s/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 18:46:27 2009<br /> <br />Subject: <br />Website: <br /><i>would be why wasn't the disgruntled ex-consultant's credentials immediately removed from the system when things went sour between him and the client?</i> <br /> <br /> <br /> <br />I don't know. The first I heard about any unpleasant relations was today. It's quite possible that nobody but the owner knew about this and he may not have thought about hacking. <br /> <br /> <br /> <br />That assumes it WAS that guy. I think a compromised home machine is still in the running. <br /> <br /> <br /> <br /> <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/V6ByFFi16kDMt47_ABu3ROb_fx0/0/da"><img src="http://feedads.g.doubleclick.net/~a/V6ByFFi16kDMt47_ABu3ROb_fx0/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/V6ByFFi16kDMt47_ABu3ROb_fx0/1/da"><img src="http://feedads.g.doubleclick.net/~a/V6ByFFi16kDMt47_ABu3ROb_fx0/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 18:44:40 2009<br /> <br />Subject: A possible reason for the hack... <br />Website: <br />Here is an exerpt from "en.wikipedia.org/wiki/IRC" &#58; <br /> <br />"..as a way of obtaining a bouncer-like effect, an IRC client (typically text-based, for example Irssi) may be run on an always-on server to which the user connects via ssh. This also allows devices that only have ssh functionality, but no actual IRC client installed themselves, to connect to the IRC and allows sharing of IRC sessions.[68] <br /> <br />To prevent the IRC client to be closed on termination of the ssh connection, it can be run inside a piece of screen-detaching software (e.g. GNU Screen or tmux), thus staying connected to the IRC network(s) at all time, being able to log channels the user is interested in, etc. Modelled after this setup[69], an IRC client following the client-server model, called Quassel IRC, has been developed. " <br /> <br /> <br /> <br />Who knows? Right? .. ;) <br /> <br /> <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/fqbUFDXgtRWwy4AA3sKjwQ7T8NE/0/da"><img src="http://feedads.g.doubleclick.net/~a/fqbUFDXgtRWwy4AA3sKjwQ7T8NE/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/fqbUFDXgtRWwy4AA3sKjwQ7T8NE/1/da"><img src="http://feedads.g.doubleclick.net/~a/fqbUFDXgtRWwy4AA3sKjwQ7T8NE/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 18:38:56 2009<br /> <br />Subject: <br />Website: <br />""" <br /> <br />And a simple "w" or "last" discovers that instantly. To hide that, you'd need to install your own root kit - spy vs. spy &#58;-) <br /> <br />""" <br /> <br /> <br /> <br /> <br /> <br />Yes. That is why playing hacker games is not going to get you anywhere. The _only_ correct action is to simply pull the power and make a image of the drive and you use that for forensics. <br /> <br /> <br /> <br />Think about a crime scene. Does the police start just tearing into everything, crawling in and out of all the windows, and trying to recreate the crime to try to see if they can find the criminal by accident? <br /> <br /> <br /> <br />NO.. They secure the scene and make sure that evidence is preserved. <br /> <br /> <br /> <br />And not only is it your job to preserve evidence, it is your job to do things like establish chains of custody and other things to make sure that you can prove that you have not tampered with the evidence. <br /> <br /> <br /> <br />It's such a simple thing to do... stick a drive into a external adapter and use dd to pull a image without mounting or otherwise touching any of the data on disk it's just a 'duh' to do it. Otherwise your just stomping all over everything with the digital equivalent of muddy boots in a ham fisted attempted to outsmart a unknown person. <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/vrJ4P9oForS5Il-O9K7sq_iplVE/0/da"><img src="http://feedads.g.doubleclick.net/~a/vrJ4P9oForS5Il-O9K7sq_iplVE/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/vrJ4P9oForS5Il-O9K7sq_iplVE/1/da"><img src="http://feedads.g.doubleclick.net/~a/vrJ4P9oForS5Il-O9K7sq_iplVE/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 18:37:02 2009<br /> <br />Subject: <br />Website: <br />We'd be happy to send you an invitation, Michiel . <br /> <br /> <br /> <br />So far, only two people have asked... <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/W6argKqbfFLkSz8W4QdH6VXM2dg/0/da"><img src="http://feedads.g.doubleclick.net/~a/W6argKqbfFLkSz8W4QdH6VXM2dg/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/W6argKqbfFLkSz8W4QdH6VXM2dg/1/da"><img src="http://feedads.g.doubleclick.net/~a/W6argKqbfFLkSz8W4QdH6VXM2dg/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Web/gentle-wave.html Fri Nov 6 18:01:59 2009<br /> <br />Subject: <br />Website: http://bcstechnology.net <br />Of course, my first question would be why wasn't the disgruntled ex-consultant's credentials immediately removed from the system when things went sour between him and the client? After all, the majority of security breaks that occur on UNIX-like systems are made possible by careless username and password policing. Is this another case of having an easy-to-remember root password because "it's convenient?"<p>Something I've hammered into my clients' heads is the need to keep administrative access to any machine under tight control and keep it limited only to those who have a compelling need. Nevermore so is this requirement than when a machine is exposed to the Internet. As someone above said, it should be assumed that any exposed machine will eventually be subject to a hack attack. <br /> <br /> <br /> <br />As for the Windows boxes...I believe Rent-A-Dumpster offers a solution... &lt;Grin&gt; <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/7mv9LaopAns-O4ZPqOQ74SAPQvo/0/da"><img src="http://feedads.g.doubleclick.net/~a/7mv9LaopAns-O4ZPqOQ74SAPQvo/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/7mv9LaopAns-O4ZPqOQ74SAPQvo/1/da"><img src="http://feedads.g.doubleclick.net/~a/7mv9LaopAns-O4ZPqOQ74SAPQvo/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 17:48:55 2009<br /> <br />Subject: <br />Website: <br /><i>As long as the intruder doesn't detect the running serial console.) </i> <br /> <br /> <br /> <br />No different than leaving root logged in on ALT-F3 <br /> <br /> <br /> <br />And a simple "w" or "last" discovers that instantly. To hide that, you'd need to install your own root kit - spy vs. spy &#58;-) <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/fGTZcDcfzi6RoKojEr9DDkQZj1M/0/da"><img src="http://feedads.g.doubleclick.net/~a/fGTZcDcfzi6RoKojEr9DDkQZj1M/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/fGTZcDcfzi6RoKojEr9DDkQZj1M/1/da"><img src="http://feedads.g.doubleclick.net/~a/fGTZcDcfzi6RoKojEr9DDkQZj1M/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 17:39:28 2009<br /> <br />Subject: <br />Website: <br />If you reboot the machine, a running trojan process might not be there anymore. The only solution is to have the server always keep a running terminal on the serial console. A running root shell on the serial console can not be exploited remotely, just with physical access. But this way, you could still login in such a case, where the local accounts or passwords have been tempered with. (As long as the intruder doesn't detect the running serial console.) <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/Tk1nF5HeH0GpQ9aC5XSev9njKRk/0/da"><img src="http://feedads.g.doubleclick.net/~a/Tk1nF5HeH0GpQ9aC5XSev9njKRk/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/Tk1nF5HeH0GpQ9aC5XSev9njKRk/1/da"><img src="http://feedads.g.doubleclick.net/~a/Tk1nF5HeH0GpQ9aC5XSev9njKRk/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 17:38:21 2009<br /> <br />Subject: <br />Website: <br />Well true, but if you set it to reboot every three hours or so, thus giving you effectively a fresh install each time the Hacker will get tired of rehacking and installing everything three-four times a day. <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/I6BY-n-IYifMh2Ncq6ut7iTfabw/0/da"><img src="http://feedads.g.doubleclick.net/~a/I6BY-n-IYifMh2Ncq6ut7iTfabw/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/I6BY-n-IYifMh2Ncq6ut7iTfabw/1/da"><img src="http://feedads.g.doubleclick.net/~a/I6BY-n-IYifMh2Ncq6ut7iTfabw/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 17:38:17 2009<br /> <br />Subject: <br />Website: <br />I was reminded of this&#58; http://aplawrence.com/Blog/B371.html <br /> <br /> <br /> <br />Too many people are too trusting in letting people use VPN's. Great convenience, but a potential risk. <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/DOs4n26JP_FY8ycww_i0giOzv3Q/0/da"><img src="http://feedads.g.doubleclick.net/~a/DOs4n26JP_FY8ycww_i0giOzv3Q/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/DOs4n26JP_FY8ycww_i0giOzv3Q/1/da"><img src="http://feedads.g.doubleclick.net/~a/DOs4n26JP_FY8ycww_i0giOzv3Q/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 17:35:52 2009<br /> <br />Subject: <br />Website: <br /><i>A customized version of microcore Linux set to reboot once a day with pretty much just sshd, telnet, and GNU Screen would be practically unhackable. </i> <br /> <br /> <br /> <br />No, not if the source is a compromised home user. <br /> <br /> <br /> <br />I've said before that VPN's from home users are dangerous. I don't care WHAT they are connecting to, what security is in place - if the home machine has been compromised, everything is at risk. <br /> <br /> <br /> <br /> <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/l5YZ_TIexSubiv42AB4Kov7mN-E/0/da"><img src="http://feedads.g.doubleclick.net/~a/l5YZ_TIexSubiv42AB4Kov7mN-E/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/l5YZ_TIexSubiv42AB4Kov7mN-E/1/da"><img src="http://feedads.g.doubleclick.net/~a/l5YZ_TIexSubiv42AB4Kov7mN-E/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 17:29:40 2009<br /> <br />Subject: <br />Website: <br /><i>Check every other system on the network for similar hacks.</i> <br /> <br /> <br /> <br />Having been through this before, I can explain the problem with that. It's the same issue as with fast propagating network worms&#58; to kill the infection, you have to take EVERY machine off-network and keep them off until they are clean. <br /> <br /> <br /> <br />When dealing with a simple problem, you might be able to clean. People do that often with virus attacks - it's a lot better than reimaging every box. But with a hack, how do you know how clever the s.o.b. is? You don't, so your only real choice is full sanitation - horribly expensive and time consuming. Consider that old software may be lost, unavailable, operating systems like their ancient SCO may not work with new hardware... important data files have to be examined and proved free of intrusion... it's a major mess! <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/ZSnLSbnJ7nWsqE4_Rms8QbUOvtw/0/da"><img src="http://feedads.g.doubleclick.net/~a/ZSnLSbnJ7nWsqE4_Rms8QbUOvtw/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/ZSnLSbnJ7nWsqE4_Rms8QbUOvtw/1/da"><img src="http://feedads.g.doubleclick.net/~a/ZSnLSbnJ7nWsqE4_Rms8QbUOvtw/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 17:26:23 2009<br /> <br />Subject: Live CD <br />Website: <br />So the customer has some telnet only boxes on an insecure but private network that he remote accesses through this box... well if thats all it does why does it have anything else installed? A customized version of microcore Linux set to reboot once a day with pretty much just sshd, telnet, and GNU Screen would be practically unhackable. <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/QLo0irX2_3wzQ2EhaZiqYqBtFlI/0/da"><img src="http://feedads.g.doubleclick.net/~a/QLo0irX2_3wzQ2EhaZiqYqBtFlI/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/QLo0irX2_3wzQ2EhaZiqYqBtFlI/1/da"><img src="http://feedads.g.doubleclick.net/~a/QLo0irX2_3wzQ2EhaZiqYqBtFlI/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 17:18:38 2009<br /> <br />Subject: <br />Website: <br />Most home users have dynamic ranges. The better solution would be to force them into using ssh keys - http://aplawrence.com/Security/sshpassphrases.html - but IF THE HOME MACHINE IS COMPROMISED, that doesn't help. <br /> <br /> <br /> <br />The "rsync" idea would be trivial for a hacker to stop. Moreover, it's not much more work to put up a fake rsync responder that would make the other machine think it had successfully copied. <br /> <br /> <br /> <br /> <br /> <br /> <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/Em38CftWhciKRvaEKjrzQWfioOo/0/da"><img src="http://feedads.g.doubleclick.net/~a/Em38CftWhciKRvaEKjrzQWfioOo/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/Em38CftWhciKRvaEKjrzQWfioOo/1/da"><img src="http://feedads.g.doubleclick.net/~a/Em38CftWhciKRvaEKjrzQWfioOo/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html Fri Nov 6 17:07:20 2009<br /> <br />Subject: <br />Website: <br />Use rsync from another box every few minutes to return the computer to pristine condition every couple of minutes. That way even if the box does get compromised it is fixed again immediately. You could also block all IP's into the box and only allow people to come in from their home IP adress ranges. <div style="font-size:80%"> <table> <tr> <td> - </td> <td> - </td> <td><a href="http://aplawrence.com/Tests">Skills Tests</a></td> <td> - </td> <td><a href="http://aplawrence.com/Surveys">Surveys</a></td> <td> - </td> <td><a href="http://aplawrence.com/Kerio">Kerio Mail Server</a></td> <td> - </td> <td><a href="http://aplawrence.com/fortinet">Fortinet Routers</a></td> <td> - </td> <td><a href="http://aplawrence.com/rates.html">Consulting</a></td> <td> - </td> <td><a href="http://aplawrence.com/advert.html">Advertise Here</a></td> </tr> </table> </div> <p><a href="http://feedads.g.doubleclick.net/~a/domrWVBySVR5d6lDuVB3ZQkDfxA/0/da"><img src="http://feedads.g.doubleclick.net/~a/domrWVBySVR5d6lDuVB3ZQkDfxA/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/domrWVBySVR5d6lDuVB3ZQkDfxA/1/da"><img src="http://feedads.g.doubleclick.net/~a/domrWVBySVR5d6lDuVB3ZQkDfxA/1/di" border="0" ismap="true"></img></a></p> http://aplawrence.com/Linux/strange-hack.html