Hi,
I see the same here.
JT
Maarten Litmaath wrote:
> Vega Forneris wrote:
>
>>
>> Hi again *,
>>
>> At this point I think the user is the same for every site (here in
>> Italy many sites've already closed their gatekeeper to such user
>> during the day for same reason).
>>
>> I really think that he wasn't doing anything bad and the local user
>> itself has little power on systems (normal dteam user)...but when you
>> find files "where they shouldn't be", well it's a little stressing
>> for a system admin ;-P
>
>
> Are you sure it was the owner of the certificate who was doing these
> funny things:
>
> -----------------------------------------------------------------------
> # ls -lrta /home/grid/*/.ssh
> total 24
> -rw-r--r-- 1 dteam004 cg 235 Jun 13 13:43 tmp_rsa_key.pub
> -rw------- 1 dteam004 cg 887 Jun 13 13:43 tmp_rsa_key
> -rw-r--r-- 1 dteam004 cg 235 Jun 13 13:43 authorized_keys
> drwx------ 2 dteam004 cg 4096 Jun 13 13:43 .
> -rw-r--r-- 1 dteam004 cg 175 Jun 13 13:49 config
> drwxr-x--- 4 dteam004 cg 4096 Jun 13 16:06 ..
> # ls -l /home/grid/dteam004
> total 12
> -rw-r--r-- 1 dteam004 cg 1 Jun 13 13:49 free_wns
> -rw-r--r-- 1 dteam004 cg 1240 Jun 13 13:49 ssh.tgz
> -rw-r--r-- 1 dteam004 cg 1 Jun 13 13:49 wns
> -----------------------------------------------------------------------
>
> Such usage really has the signature of a hacker, so the guy's account/
> cert/proxy may have been hijacked...
|