Re: server compromised?

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Amit Nepal
Date:  
To: plug-discuss
Subject: Re: server compromised?
That part usually means that the key was generated by that user on that
machine, or sometimes is the description of the key e.g. when you
generate the key using puttygen . If the key is generated in a linux
machine the last part would be user@hostname of machine. I would
"suspect" that the server has been compromised, if you are sure that the
domain.com is not one of your machine that was used to generate the key,
because having a key in the authorized keys means giving access to the
machine. I highly recommend using OSSEC or some other monitoring tool in
future to notify you of any changes in the major files in the operating
system.

Thank you

*Amit K Nepal
Infrastructure Engineer (RHCE)
omNovia Technologies Inc. <http://www.omnovia.com>
Amit K Nepal <http://www.amitnepal.com>
<http://www.amitnepal.com>*
On 3/7/2013 4:49 PM, Vimal Shah wrote:
> Hello all,
>
> While randomly looking into the .ssh/authorized_keys file, I noticed a
> line that shouldn't have been there. This was concluded based on the
> last portion of the line. This portion was in the form of
> / <mailto:user@domain.com>/, where the domain was one
> of a likely competitor. Does this automatically mean that this server
> has been compromised? The line has been removed.
>
> Thanking everyone in advance.
>
> --
> Vimal
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss


---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss