Fix Security Intrusion Detection Alert From Compromised Credentials

Introduction

Intrusion detection systems (IDS) like OSSEC, Wazuh, Snort, or cloud-native security tools generate alerts when they detect signs of compromised credentials - such as logins from unusual locations, impossible travel patterns, privilege escalation attempts, or access to sensitive resources at unusual hours. These alerts require immediate investigation because they may indicate an active breach where an attacker is using stolen credentials to access your systems.

Symptoms

• IDS alert: Multiple failed login attempts followed by successful login from unusual IP
• Alert: User logged in from country not in normal access pattern
• SIEM dashboard shows anomalous authentication events
• User reports their account was accessed without their knowledge
• Unusual API calls or data downloads detected from a user account

Common Causes

• Password reused across multiple services and leaked in a third-party breach
• Phishing attack capturing user credentials
• Credential stuffing attack using leaked password database
• Stolen session token or API key
• Keylogger or malware on the user's workstation

Step-by-Step Fix

1. 1.Immediately lock down the affected account:
2. 2.```bash
3. 3.# Disable the user account
4. 4.sudo usermod -L compromised_user
5. 5.# Or lock in Active Directory
6. 6.# PowerShell: Disable-ADAccount -Identity compromised_user

# Kill all active sessions sudo pkill -u compromised_user # Revoke all active tokens sudo find /var/run -name "*compromised_user*" -delete ```

1. 1.Investigate the scope of the compromise:
2. 2.```bash
3. 3.# Check authentication logs for the compromised account
4. 4.sudo grep "compromised_user" /var/log/auth.log | tail -50
5. 5.sudo grep "compromised_user" /var/log/secure | tail -50

# Check what the account accessed sudo grep "compromised_user" /var/log/sudo.log 2>/dev/null sudo lastlog -u compromised_user

# Check for data exfiltration sudo grep "compromised_user" /var/log/nginx/access.log | \ awk '{print $7}' | sort | uniq -c | sort -rn | head -20 ```

1. 1.Reset all credentials for the affected user:
2. 2.```bash
3. 3.# Reset password
4. 4.sudo passwd compromised_user
5. 5.# Force password change on next login
6. 6.sudo chage -d 0 compromised_user
7. 7.# Revoke and regenerate SSH keys
8. 8.rm -rf /home/compromised_user/.ssh/*
9. 9.sudo -u compromised_user ssh-keygen -t ed25519 -N ""
10. 10.# Revoke API tokens and session cookies
11. 11.`
12. 12.Check for persistence mechanisms installed by the attacker:
13. 13.```bash
14. 14.# Check cron jobs
15. 15.crontab -u compromised_user -l
16. 16.# Check for unauthorized SSH keys
17. 17.cat /home/compromised_user/.ssh/authorized_keys
18. 18.# Check for modified sudoers
19. 19.sudo grep compromised_user /etc/sudoers /etc/sudoers.d/*
20. 20.# Check for new services or systemd timers
21. 21.systemctl list-timers --all
22. 22.`
23. 23.Enable multi-factor authentication for the account:
24. 24.```bash
25. 25.# For Google Authenticator (TOTP)
26. 26.sudo apt install libpam-google-authenticator
27. 27.sudo -u compromised_user google-authenticator
28. 28.# Enable PAM module
29. 29.sudo nano /etc/pam.d/sshd
30. 30.# Add: auth required pam_google_authenticator.so
31. 31.`
32. 32.Report the incident and update security policies:
33. 33.Document the timeline, affected systems, data accessed, and remediation steps taken. Review whether additional users need credential resets based on the access patterns discovered.

Prevention

• Enforce multi-factor authentication for all user accounts
• Implement password policy requiring unique, strong passwords
• Use password managers to prevent password reuse across services
• Monitor login patterns with anomaly detection (geo-velocity, time-based)
• Implement conditional access policies that block logins from高风险 locations
• Conduct regular credential audits and force periodic password rotations