Date:  Thu, 30 Jul 2009 10:29:15 -0400
From:  "Darrell D. Mobley" <dmobley (at mark) uhostme.com>
Subject:  [coba-e:15851] Re: [LIKELY_SPAM]Root exploit on Blue Quartz
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <662D282894D744BB94D0A6B9655C041A@HP9925NR>
In-Reply-To:  <F8C0A438-9892-4429-BC33-1881AE8444E7 (at mark) scargo.nl>
References:  <E776AF61EE604DC3BC41E9AB2D91AAA2 (at mark) HP9925NR> <200907300403.10254.bq (at mark) solarspeed.net> <00f101ca10c1$5b83fe70$6401a8c0 (at mark) HPPAVILION> <4A713F25.7000801 (at mark) monostar.net> <F8C0A438-9892-4429-BC33-1881AE8444E7 (at mark) scargo.nl>
X-Mail-Count: 15851

> -----Original Message-----
> From: Taco Scargo [mailto:taco (at mark) scargo.nl]
> Sent: Thursday, July 30, 2009 4:42 AM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:15850] Re: [LIKELY_SPAM]Root exploit on Blue Quartz
> 
> Or stop using Windows/Internet Explorer all together.
> I am 100% sure this person knew your admin password.
> He (or she) also must have used BQ before, else one does not use the
> gui to create a user.
> He could have logged in using ssh right away with the admin account.
> Why go through the trouble of creating another account.
> 
> Are you 100% confident you are the only one that knows the password ?
> Never requested help from someone ?

The only other people who knew the password was the support guys at my web
host.  I trust them.  I suspect my old laptop, which got infected with a
rootkit a short while back, may be the culprit.

It was interesting, they created the user, logged onto SSH, sat there and
didn't run one command, then deleted the user in the GUI.

I wonder if I should put SSH on another port?