====== Security issues ======

===== Account Access =====

While investigating a security issue it was found that the attacker created an account named "benr". <note warning> Joyent employees will not create accounts in your container! In the event that we for some reason were required to while fixing a problem we would remove it when we were complete.</note> When we log into your container for some reason, which we rarely do, we use a back-end method (zlogin) and you'll notice it in your last log like this:

<code>
$ last | more
root      pts/15       zone:global      Mon Dec  4 12:34   still logged in
root      pts/15       zone:global      Mon Dec  4 11:45 - 12:17  (00:32)
root      pts/15       zone:global      Mon Dec  4 11:03 - 11:10  (00:07)
</code>

So if you see "zone:global" instead of an IP address in the last log, thats us logging into your container to either check something we think might be out of whack or answering a ticket or something. If you see a new mysterious account for "benr", "shane", "jason", or other Joyent/TextDrive names something is very wrong and you should report it immediately. Remember, script kiddies can read forums too.

====== What to do ======

On a related note, please keep check your container from time to time for security violations. Rotating your passwords on a regular basis is a good idea and never create weak passwords. Shut down services you don't need so that they aren't a target for hackers. Do not expect us to report security violations to you! In this case I got lucky and stumbled across the container while doing a routine systems check before answering a customer ticket, an attack script was pegging a CPU and looked suspicious... but this is not the expected norm.