skip to primary navigationskip to content
 

Checking your own account

Notice regarding a security breach

This is a general notice regarding the security of your account on one or more Unix systems. It is, therefore, somewhat general in certain regards. It applies to people with full ("shell") accounts on Unix systems and does not apply to people with "menu" access to Hermes, even though that system runs Unix. It does not apply to the PWF at all.

There are various reasons why this notice may have been issued. The most likely reasons are given in the following list.

  • A particular account of yours is known to have been compromised.
  • Your account exists on a system that is known to have been compromised.
  • You have accessed your account over a network that may have been "snooped" on at some time.

This notice is designed to help you resecure your account and to check for any "backdoors" that may have been left by the attacker to make subsequent access to the system easier. If you have problems understanding it for an account on a CS system, please contacts the Help Desk for assistance.

Changing passwords

  • If your password has already been changed on an departmental or college system, you will need to contact the system administrator within the department or college.
  • If your password has not been changed, please change it.
  • Please change your passwords on all systems you have accounts on wherever they are and not just the particular system that has been attacked.
  • Under all circumstances, please do not choose as a new password a password you have used before, even on a different system.
  • When you choose your password, please do not choose a name or a word from a dictionary. See Information Sheet IS6 "Changing/Choosing Your Password" for advice.

Checking your account

For each of your accounts on a Unix system, please perform the following simple tests to see if your account has been tampered with.

  • Check the file ".rhosts" in your home directory. (This is the file that lets your account on other systems use the local one without prompting for a password via rsh, .rlogin etc.)
  • Check the file ".shosts" and ".ssh/authorized_keys" in your home directory. These are the files that let your account on other systems use the local one without prompting for a password via ssh, slogin etc.)
    • If you didn't have one, has one been created?
    • If you did have one, has it been changed?
    • Can you account for each of the machines in the file?
  • Check the files ".netrc" and ".sitecopyrc" in your home directory. (These files automate FTP transfers and contain passwords for remote systems. You may well not have them.)
    • If you didn't have one, has one been created?
    • If you did have one, has it been changed?
    • Can you account for each of the machines in the file?
    • Every account in this file should also be regarded as compromised and be treated in the same way as the current one including non-Unix accounts such as on the PWF.
  • Check your login record with the "last" command.
    • e.g. if your userid is "fjc55", run "last fjc55".
    • Do all these sessions look plausible? Do you recognise the originating systems? (Logins from ":0" mean logins from the console.)
    • Alternatively, is the log missing sessions that you know should be there? (last's output typically ends with a line saying when the log begins and you should not expect to see any entries earlier than that.)
  • Check the file ".forward" in your home directory. This file redirects or otherwise processes your email. You may not have one if you do not forward or filter your email.
    • If you have a ".forward" file, is it the one you created?
  • Check your mail box.
    • Can you remember sending all your outgoing mail or are there messages sent from your account that you didn't send?
    • Are there messages marked as read that you haven't actually read?
  • Have any "cron" jobs been set up for your account? (A cron job is a job scheduled to run regularly.)
    • To check your cron jobs, run "crontab -l".
    • A message saying "can't open your crontab file" or something similar means you don't have any cron jobs.
    • If some output is generated, can you account for all of it?
  • Have any "at" jobs been set up for your account? (An at job is a job scheduled to run once at a particular time.)
    • To check your at jobs, run "atq".
    • A message saying "no files in queue" or something similar means you don't have any at jobs.
    • If some output is generated, can you account for all of it?
  • Have your login or logout scripts been changed? The names of the files vary according to the shell you use:
    • If you are a Bash user, you have ".bash_profile" and ".bashrc" as your login scripts and ".bash_logout" as your logout script.
    • If you are a Bourne shell user you have ".profile" as your login script and no logout script.
    • If you are a C-shell users, you have ".login" and ".cshrc" as your login scripts and ".logout" as your logout script.
  • Are there any files in your home directory you cannot account for? Recall that files whose names begin with a dot are not normally shown by "ls". Some hackers create file names with control characters in their names to confuse the output of ls. Use "ls -ab|more" to show all files (the "-a" option) and to display control characters in numeric format (the "-b" option)

If you discover something amiss

  • On a Computing Service system, please contact the Help Desk on 34681 or by e-mail to service-desk@ucs.cam.ac.uk.
  • On any other system within the University, contact the system's administrator and the departmental or college computer manager with details.
  • On any system outside the University, contact the system's administrator.
  • Under all circumstances, when you find something suspicious, report it and do not change anything until the system administrator says so.