Vega Forneris wrote:
>
> Hi again *,
>
> At this point I think the user is the same for every site (here in Italy
> many sites've already closed their gatekeeper to such user during the
> day for same reason).
>
> I really think that he wasn't doing anything bad and the local user
> itself has little power on systems (normal dteam user)...but when you
> find files "where they shouldn't be", well it's a little stressing for a
> system admin ;-P
Are you sure it was the owner of the certificate who was doing these
funny things:
-----------------------------------------------------------------------
# ls -lrta /home/grid/*/.ssh
total 24
-rw-r--r-- 1 dteam004 cg 235 Jun 13 13:43 tmp_rsa_key.pub
-rw------- 1 dteam004 cg 887 Jun 13 13:43 tmp_rsa_key
-rw-r--r-- 1 dteam004 cg 235 Jun 13 13:43 authorized_keys
drwx------ 2 dteam004 cg 4096 Jun 13 13:43 .
-rw-r--r-- 1 dteam004 cg 175 Jun 13 13:49 config
drwxr-x--- 4 dteam004 cg 4096 Jun 13 16:06 ..
# ls -l /home/grid/dteam004
total 12
-rw-r--r-- 1 dteam004 cg 1 Jun 13 13:49 free_wns
-rw-r--r-- 1 dteam004 cg 1240 Jun 13 13:49 ssh.tgz
-rw-r--r-- 1 dteam004 cg 1 Jun 13 13:49 wns
-----------------------------------------------------------------------
Such usage really has the signature of a hacker, so the guy's account/
cert/proxy may have been hijacked...
|