Checking the freshly-minted Logwatch output from the now resurrected ex-hacked server I saw three logins through SSH. One was from the office IP (which would be me), one from my home IP (uh... me again) and one from a Spanish IP with a number of password failures before one success. Oh noes! Spanish hax0rs!?
Well... there was the possibility it was our guy in Spain, so I IM'd him.
Archive for May of 2005
From the department of residual paranoia
May 07, 2005H4x0r3d
May 04, 2005
Someone managed to get a rootkit on one of the boxes at work. The first clue we had was when the password was changed. Since I log in through ssh using no-password authentication this didn't affect nor stop me logging in. At first I thought maybe someone else at work had changed the password - but then it turned out that every command that made use of dates threw up a segfault - notably ls -l.