Alessandra
This is a fair point and one to be followed up by the ROC. While people
are understandably concerned, if the message about the user had gone out
earlier we would have reduced the mails on this list and the time people
have spent investigating locally (and reading the emails!). I'm sure if
the message had gone on the security list it would have been picked up
by most sites, but we should test this soon! In addition this list
(TB-SUPPORT) has open archives so particular security concerns probably
should not be discussed on it.
Jeremy
-----Original Message-----
From: Testbed Support for GridPP member institutes
[mailto:[log in to unmask]] On Behalf Of Alessandra Forti
Sent: 13 June 2005 18:15
To: [log in to unmask]
Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site level
?? (fwd)
Hi,
sorry if I keep on "hitting the iron while is hot" but....
if Jeremy hadn't forwarded the email from the ROC we would still be in
the
dark. As a site security contact I would have preferred to receive an
email from lcg-project-security-contacts with a full explanation about
what has happened.
cheers
alessandra
--
********************************************
* Dr Alessandra Forti *
* Technical Coordinator - NorthGrid Tier2 *
* http://www.hep.man.ac.uk/u/aforti *
********************************************
---------- Forwarded message ----------
From: Maarten Litmaath <[log in to unmask]>
To: [log in to unmask]
Date: Mon, 13 Jun 2005 19:03:29 +0200
Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site level
??
Vega Forneris wrote:
>
> Hi again *,
>
> At this point I think the user is the same for every site (here in
Italy
> many sites've already closed their gatekeeper to such user during the
day
> for same reason).
>
> I really think that he wasn't doing anything bad and the local user
itself
> has little power on systems (normal dteam user)...but when you find
files
> "where they shouldn't be", well it's a little stressing for a system
admin
> ;-P
Are you sure it was the owner of the certificate who was doing these
funny things:
-----------------------------------------------------------------------
# ls -lrta /home/grid/*/.ssh
total 24
-rw-r--r-- 1 dteam004 cg 235 Jun 13 13:43 tmp_rsa_key.pub
-rw------- 1 dteam004 cg 887 Jun 13 13:43 tmp_rsa_key
-rw-r--r-- 1 dteam004 cg 235 Jun 13 13:43 authorized_keys
drwx------ 2 dteam004 cg 4096 Jun 13 13:43 .
-rw-r--r-- 1 dteam004 cg 175 Jun 13 13:49 config
drwxr-x--- 4 dteam004 cg 4096 Jun 13 16:06 ..
# ls -l /home/grid/dteam004
total 12
-rw-r--r-- 1 dteam004 cg 1 Jun 13 13:49 free_wns
-rw-r--r-- 1 dteam004 cg 1240 Jun 13 13:49 ssh.tgz
-rw-r--r-- 1 dteam004 cg 1 Jun 13 13:49 wns
-----------------------------------------------------------------------
Such usage really has the signature of a hacker, so the guy's account/
cert/proxy may have been hijacked...
|