What type of an install did you do? Full?
Did you do yum updates?
Do you run tripwire, or any other auditing tools?
Is the machine wide open to the net?
Do you have the firewall turned on?
See anything unusual in any logs, last, who, uptime, lsof, netstat ?
you can also do something like this
[root@localhost ~]# cat trip
MHFILE=$HOSTNAME-`date +%Y%m%d-%H%M%S`.md5
SHFILE=$HOSTNAME-`date +%Y%m%d-%H%M%S`.sha1
ZFILE=$HOSTNAME-`date +%Y%m%d-%H%M%S`.zip
FLIST=flist-`date +%Y%m%d-%H%M%S`
/bin/echo "1/4 Building file list . . ."
/usr/bin/find /bin /boot /etc /lib /misc /mnt /net /opt /root /sbin /srv
/usr /var -type f > /root/$FLIST
/bin/echo "2/4 MD5 Hashing . . ."
/bin/cat /root/$FLIST | /usr/bin/xargs /usr/bin/md5sum > /root/$MHFILE
/bin/echo "3/4 SHA1 Hashing . . ."
/bin/cat /root/$FLIST | /usr/bin/xargs /usr/bin/sha1sum > /root/$SHFILE
/bin/echo "4/4 Zipping . . ."
/usr/bin/zip /root/$ZFILE $MHFILE $SHFILE $FLIST
/bin/rm $MHFILE $SHFILE $FLIST
/bin/echo "Done"
to create hash sets of a clean installed system
then when you suspect a problem you can see what files have been added,
removed or changed
milvertito wrote:
if you're in doubt, re install everything from scratch, it makes a big
difference
-----Original Message-----
From: fedora-list-bounces@xxxxxxxxxx [mailto:fedora-list-bounces@xxxxxxxxxx]
On Behalf Of Scot L. Harris
Sent: Friday, September 09, 2005 4:11 PM
To: 'For users of Fedora Core releases'
Subject: RE: Have I been hacked? Shadow file deleted
On Fri, 2005-09-09 at 10:57, Jose Luis Hime wrote:
Only I have the root password, that I change every time the shadow
file is deleted. The passwd file is ok, also.
The shadow has the following permissions:
-r-------- 1 root root 8233 Sep 9 10:01 shadow
No crontab, at or other scheduled jobs.
No suspect process in "ps".
So... the last resort is really to re-install my box.
Can I use the "update" method to fix any problems without destroying
my installation? It took me 3 days to complete it!
Thanks in any way!
Are you running anything like phpbb or postnuke or similar type packages?
These have had many exploits in the past. You would need to make sure you
have these fully patched or don't run them.
If you think the system has actually been compromised you don't really have
any choice but to do a bare metal install.
Have you tried disconnecting the system from the network to see if the
shadow file continues to disappear? That might isolate the problem to
something running on the system vs. someone doing it from outside the
system.
But if you think the system is compromised your only choice it so reinstall.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
--
Michael Yep
Development / Technical Operations
RemoteLink, Inc.
(630) 983-0072 x164