|
|
|
|
|
|
by bifrost
2615 days ago
|
|
|
I guess I technically glossed over that but I did say "One of the more interesting pieces of this was how Ansible was used to keep the attacker in the system".
The attacker was persisted via CM and their public repo, I'm actually surprised this doesn't happen more often. |
|
|
When I say the attacker was persisted via CM, I'm pointing at his own notes, nodding to broken CM, the requirements of supporting the CM and availability of the config files.
I also sanity checked the sshd_config file on my systems, they're all set to a sane default:
"AuthorizedKeysFile .ssh/authorized_keys"
FWIW I prefer to treat CM data as "valuable" information for this reason.