Incidents
Ssh break that claims it was me? Oct 27 2008 11:19AM
makkalot gmail com (1 replies)
RE: Ssh break that claims it was me? Oct 27 2008 01:35PM
Viktor Larionov (viktor larionov salva ee)
Hi!

Well I would start from simply talking to the client and checking the IP adresses from where the access was granted.
I'd bet my pants that the IP-adress is a chinese socks proxy or smth. like this.

And of course first of all check that it was really your user who did that. (if the .bash_history file under your home directory is valid, you can easily see all the commands your user has executed for the past time)

And of course logs, logs and once again logs, you will definetly find a way of prooving this by just carefully examining the auth logs, .bash_history file, cvs logs, etc.
If it's the CVS repo what was deleted, and a busy CVS repo then by means of CVS error logs you can definetly determine the time when it was done. Etc.

regards,
Vik

---
Viktor Larionov
snr. system administrator
R&D team
Salva Kindlustuse AS
Prnu mnt. 16
10141 Tallinn
ESTONIA
tel: (+372) 683 0636, (+372) 680 0500
fax: (+372) 680 0501
gsm: (+372) 5668 6811
viktor.larionov (at) salva (dot) ee [email concealed]

------------
MOTD: Dream Big. Think the impossible. If you can dream it - you can create it.

-----Original Message-----
From: makkalot (at) gmail (dot) com [email concealed] [mailto:makkalot (at) gmail (dot) com [email concealed]]
Sent: Monday, October 27, 2008 1:20 PM
To: incidents (at) securityfocus (dot) com [email concealed]
Subject: Ssh break that claims it was me?

Hi all i dont know if it is the right place to write that but didnt know what
to do...
The case is as follow :
I'm a freelancer programmer and work for other people from distance,therefore
they give me ssh access to their servers and i fix their stuff. After a few
days ago i was hired to fix some django/apache stuff in a server. I fixed all
the stuff and got my money.Ok that was the story part here is the message i
got from client today :
"
I know you deleted the svn repo and also trac...
I don't know why you chose to go in that route... very bad
if you were not happy about something you could have
asked for more money... we could have worked together
to resolve anything... in any case.. I will report this to RAC
form the system logs and we will go from there...
I still don't know why you did this!!!! "

Ok obviously i didnt do that, becaus i dont have any reason to do so. Is there
a way i can prove it wasnt me ? Some fingerprint ssh values? Please any help
is appreciated, thanks in advance ...

------------------------------------------------------------------------

This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

------------------------------------------------------------------------

This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus