Andreas Hallmann wrote:
I always wanted to put him into an eliza(doctor) like shell, (instead of ssh-login), and watch em answering silly questions :-)Hi,once in this situation I put me compromised machine in an isolated subnet, firewalled to only allow the functionality it was set up for. If you are under pressure, this is a way to save time without feeling to much uncomfortable. But this requires no data of private nature on this machine. Hmm cyrus account you said? Ok, think a mail server contains private data. Moreover it's likely someone used a password there used elsewhere. I would alert my users and force them to change passwords.You can secure thinks by putting it into a subnet, no WAN access is allowed for. Since this box might be compromised, it should be isolated in a separate network. No sniffing can get something useful and any other attempt will bang against a firewall. You can set up a mail server, feeding it with LMTP. Moreover this is your outgoing MTA.Now you can restrict this network accept incomming LMTP transports and answer incomming IMAP-requests. You can disallow traffic started from your imap server. So this machine can't do any harm any more.But still HE had some time to do something nasty, like fishing for passwords. And therefore keep an eye on all of your machines.For your enjoyment: If you like to know him better ... put him in a chroot-jail and watch him trying.
-- never got around doing so though. thilo
A shell logging each command can be informative. cheers AHA