server compromised?

Amit Nepal amit at amitnepal.com
Thu Mar 7 17:18:55 MST 2013


That part usually means that the key was generated by that user on that 
machine, or sometimes is the description of the key e.g. when you 
generate the key using puttygen . If the key is generated in a linux 
machine the last part would be user at hostname of machine. I would 
"suspect" that the server has been compromised, if you are sure that the 
domain.com is not one of your machine that was used to generate the key, 
because having a key in the authorized keys means giving access to the 
machine. I highly recommend using OSSEC or some other monitoring tool in 
future to notify you of any changes in the major files in the operating 
system.

Thank you

*Amit K Nepal
Infrastructure Engineer (RHCE)
omNovia Technologies Inc. <http://www.omnovia.com>
Amit K Nepal <http://www.amitnepal.com>
<http://www.amitnepal.com>*
On 3/7/2013 4:49 PM, Vimal Shah wrote:
> Hello all,
>
> While randomly looking into the .ssh/authorized_keys file, I noticed a 
> line that shouldn't have been there. This was concluded based on the 
> last portion of the line. This portion was in the form of 
> /user at domain.com <mailto:user at domain.com>/, where the domain was one 
> of a likely competitor. Does this automatically mean that this server 
> has been compromised? The line has been removed.
>
> Thanking everyone in advance.
>
> -- 
> Vimal
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20130307/5a631eae/attachment.html>


More information about the PLUG-discuss mailing list