LAST WEEK: /boot/grub/grub.cfg: 6c3209882734351aa672d3f222bb382267c22ad4 /boot/vmlinuz-4.13.0: d6328ceea77c930e853da08b494c71ad2f8f9b47 /etc/passwd: 02f727aaabab9c2963092ba3d7f3543980fef790 /etc/shadow: 71558dd386a50333ffb71c07ad904e9abd6792cf /etc/ssh/sshd_config: 5a960d6641b42ff8f9e947e218b371b2ad12a728 /bin/ls b79f70b18538de0199e6829e06b547e079df8842 TODAY: /boot/grub/grub.cfg: 6c3209882734351aa672d3f222bb382267c22ad4 /boot/vmlinuz-4.13.0: d6328ceea77c930e853da08b494c71ad2f8f9b47 /etc/passwd: 7c6fa9266a5abfa03d685ea7f7164393c984b710 /etc/shadow: 9a4fb74ef00824d6e84785ad53d6fed364947778 /etc/ssh/sshd_config: 5a960d6641b42ff8f9e947e218b371b2ad12a728 /bin/ls b79f70b18538de0199e6829e06b547e079df8842
You are examining records from a busy server that is critical to your organization's financial well-being. What should you report to management?
A: Everything seems to be fine.
B: A user is violating the AUP.
C: An intruder has gained administrative access and changed the system configuration.
D: An intruder has gained administrative access and replaced operating system components, and we can no longer trust the operating system itself or any programs installed there.
You probably added a new user,
adding one new line to each file.
Or maybe you modified a user (changing
and coincidentally someone changed their password
Again, no worry.
It's possible that someone gained administrative access and they created the new user. But A is by far the most likely explanation.